For starters, this is a Word exploit. The .dll in question is not being memory injected into Word. The .dll is a hijacked one and is being loaded into Word normally at startup time. Correct - by now hopefully everyone is monitoring outbound connections from MS Office executables. As far as HIPS monitoring, I also assume everyone is now monitoring mshata.exe startup. I will add csc.exe to my MS Word child process startup monitoring since that is a "new twist." Also the running of csc.exe from Word will run up all kinds of "red flags" by the behavior monitors especially Next Gen ones.