Phishing with Follina

A new zero-day CVE-2022-30190 allows remote code execution on Microsoft Office utilities such as Word – without the need for macros, and in some cases by just previewing the document. Worst still, at the time of this writing there isn’t a patch, but there are workarounds.

The exploit exists when the Microsoft Support Diagnostic Tool (MSDT) is called using the URL protocol and could enable attackers to trigger payloads from remote locations using the permissions of that user, or grab the user’s password hash. Protected View can help, but Rich Text Format files (.rtf) can trigger this with the Preview Pane, without needing to open the document.

So what can we do currently? Educate users to always to report and don’t open attachments you aren’t expecting. From a technical standpoint, those utilizing Microsoft Defender’s Attack Surface Reduction (ASR) rules can block office applications from creating child processes and Microsoft has also provided a workaround by disabling the MSDT URL protocol through the registry (make sure you back that up first).

For more in-depth knowledge there are some great articles already being shared throughout the security community:

• https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

• https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug?utm_term=blog&utm_campaign=cy22-q2-0530-msdt-follina&utm_medium=email&_hsmi=214787381&_hsenc=p2ANqtz-_XPYkmbBfig4I6bjZTnPcYc5rBGDWl_3Dmnoo4hVsDkHbkR5y46rH91OjwVzNu3aBa27vrCrmHnY4Ju3NS1tWfL4nPNQ&utm_source=hubspot-partner

• https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/