May of 2022, Microsoft disclosed a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT). This vulnerability became known and was dubbed “Follina,” and can be exploited by any threat actor sending a URL to a vulnerable and unprotected machine. If the exploitation is a success it will allow the attacker to install programs, view or change data or create new accounts in line with the victim’s user permissions. The vulnerability has no CVE and CVSS as well. While the exploitation requires no user interaction it works with macros disabled. It uses the MS-Word remote template feature to retrieve a HTML file from a remote webserver, which in turn leverages the ms-msdt MSProtocol URI scheme to load some code and execute certain PowerShell commands.

What is concerning is that the Microsoft Word document is executing the code via msdt (a supporting tool) even if macros are disabled and further, the “Protected View” option/feature does not detect this. Even if users can change the document to a RTF format, it is executed via the preview tab in Explorer, without opening. Additionally, a researcher was able to evade detection for Microsoft Office 2013 and 2016, and exploited the vulnerability to evade detection from Microsoft Defender by disabling macros. Other researchers have confirmed that the vulnerability impacts Office 2013, 2016, Office Pro Plus and a patched version of Office 2021. Furthermore, Outlook allows the user to click the hyperlink and open the Excel document. The text can also be changed to something important such as “invoice” “urgent” etc. The document is not attached to the email and the URL doesn’t start with HTTP or HTTPS, most email gateways are expected to potentially allow this through their proxy servers.

Follina vulnerability is said to also target Australian Organizations, and measures have been taken to mitigate and prevent this corporations from suffering. As of this writing, the Follina RCE vulnerability has not received a CVE ID, but, the vulnerability is being exploited in the wild. Microsoft has not yet released any official update or statement regarding the vulnerability.

Source

https://www.cyber.gov.au/acsc/view-all-content/alerts/exploitation-microsoft-office-vulnerability-follina

https://www.securityweek.com/microsoft-confirms-exploitation-follina-zero-day-vulnerability

https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability