The attacker was able to reverse engineer the patch to create the exploit, SANS Internet Storm Center handler Bojan Zdrnja wrote Tuesday on the group's blog.
The targeted exploit arrives in a victim's inbox as a Word document that contains specially crafted code regarding the way IE7 handles certain types of content, said Paul Ferguson, threat researcher at Trend Micro. The code contains an ActiveX object that accesses a website containing a downloader, which exploits the vulnerability.
The victim's machine is then hit with a backdoor trojan, capable of communicating via SSL encryption with a third-party server and harvesting data such as login credentials, he said.
"As you well know from the whole Downadup/Conficker thing, cybercriminals are leveraging the fact that people don't apply patches in a timely manner," Ferguson said.
The malware appears to originate in China and may be the first inkling of a forthcoming spate of malicious emails targeting pro-Tibet groups, Ferguson said. Similar attacks occurred around this time last year.
"The 50th anniversary [of the failed Tibetan uprising against China] is right around the corner," he said. "Even though we haven't seen emails being targeted [against pro-Tibet groups], all of the fingerprints are very similar in nature to that same type of campaign."
So far, the only victim that Trend Micro is aware of is an Asian journalist, Ferguson said.
A Microsoft spokeswoman said the company is aware of the new exploit and is investigating.