Skip to content

Zero-day vulnerability in Microsoft Office – Follina

  • Resources
  • News
  • Zero-day vulnerability in Microsoft Office – Follina

We would like to bring your attention to the following 0-day exploit we have recently become aware of.

Follina – A zero-day Microsoft Office code execution vulnerability that bypasses Microsoft Defender for Endpoint. This vulnerability has been seen to be actively exploited in the wild.

Update: Official Patches have been released

Additional mitigation advice has been released by Microsoft. An official patch has now been released and is available in the June 2022 cumulative Windows updates. Alternatively, stand alone versions are accessible from the following URL:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190

Description

This exploit uses the Microsoft Word remote template feature to retrieve a HTML file from a remote webserver. The powershell script that is executed utilises ‘msdt.exe’ (Microsoft’s Diagnostic Troubleshooting Wizard – a support tool to aid in troubleshooting), which is executed even if macros are disabled. If the document is saved in RTF format the code will run without even opening the file via the explorer preview tab.

Affected Versions

Office 2013
Office 2016
(There is the potential that later versions are affected, more work is needed before all affected versions are identified.)

Remediation

A Defender for Endpoint query has been written for companies that have the relevant Microsoft package (E5).

DeviceProcessEvents| where ProcessCommandLine contains “msdt.exe”| where InitiatingProcessFileName has_any (@”WINWORD.EXE”, @”EXCEL.EXE”, @”OUTLOOK.EXE”)

At this time there are no specific official patches available, CovertSwarm would advise increased vigilance to be taken in all attached word files into the company.

References:

Silhouettes of a team standing together in low light, representing collaboration within a Security Operations Center.

SOC Testing: Turning Your Security Operations Centre into a Continuous Learning Engine

SOC testing isn’t just about finding vulnerabilities. It’s about building collaboration, sharpening human judgment, and turning your SOC into a continuous learning engine.
Wooden garden shed where CovertSwarm founder Anders Reeves conceived the idea for continuous penetration testing during COVID-19 lockdown

Why I founded CovertSwarm after annual pen tests failed me

Almost every business I worked for got breached. Our teams did the same thing each time: an occasional pen test, a thick report full of findings,…
Black and white surveillance perspective view of people at a table through a car window, symbolizing covert observation and offensive security reconnaissance

When a former UK Government cyber operations chief says AI is “limitless” in Offensive Security, we should pay attention

Jim Clover says AI has made offensive cyber “limitless.” Attackers are using it now. The horse has already bolted. And if your red team isn’t keeping…