Service announcement: Microsoft published guidance for a newly discovered Zero-Day vulnerability within the Office Productivity Suite, which could be exploited and subsequently let an attacker execute arbitrary code on systems.

The Follina vulnerability – which has the CVE assigned, CVE-2022-30190 – is rated 7.8 CVSS  out of 10 for severity. It was discovered on 29th May 2022 and involved a real-world weaponised Word document to execute malicious PowerShell code by making use of the ‘ms-msdt:’ URI.

The exploited Word document was uploaded to an Open-Source Malware Database called VirusTotal from Belarus.

However, it appears this vulnerability has been under global exploitation since as early as April 2022. This instance is believed to have targeted someone in Russia with a malicious Word document (приглашение на интервью.doc) that impersonated as an interview invitation with Sputnik Radio, a very popular radio station in Russia.

The vulnerability is achieved via Remote Code Execution (RCE) when the Microsoft Support Diagnostic Tool (MSDT) is abused using the URL protocol, which calls a legitimate application within the Office Productivity Suite, such as Word or Excel. A successful attacker who exploits this vulnerability can then subsequently run malicious code with the privileges of the application. From there, the malicious actor can install further payloads, including programmes, access, modify, or delete system and local files, or create new accounts if the targeted users permissions allow.

Workarounds and patches

While no official patch has been provided by Microsoft, mitigation is available.

Sentinel Essential customers

If you are one of our Sentinel Essentials customers, you will have custom threat detection rules implemented within your environment for active detection. In addition, our SOC analysts are proactively threat hunting for any Indicators of Compromise (IOCs) on an ongoing basis.

This is an ongoing event and we are continuing to track the developments. If you have any questions or need support, please contact our IT service desk on 01904 562207 or email [email protected].