What You Need to Know About Microsoft Office Zero-Day Vulnerability Follina

The cybersecurity industry is buzzing in response to a new Microsoft Office zero-day vulnerability. According to researchers, the security flaw has been observed being actively exploited in attacks originating from both cybercriminals, and state-sponsored APT groups.

The flaw was reportedly discovered on May 27, 2022, by cybersecurity research team Nao_sec, who found the zero-day flaw while examining an odd-looking Word document uncovered in the wild and uploaded from an IP address in Belarus. It’s worth noting that Defender for Endpoint did not detect the execution of malicious code contained within the weaponized documents.

What we know about CVE-2022-30190

Security researcher Kevin Beaumont was among the first to analyze the security flaw, now tracked as CVE-2022-30190. According to Beaumont, exploits leveraging the flaw abuse the remote template feature in Microsoft Word. Beaumont named the zero-day “Follina” because the malicious file references the number 0438 — the telephone area code of the Italian village of Follina.

Follina was initially described as a Microsoft Office zero-day vulnerability, but Microsoft says it actually affects the Microsoft Support Diagnostic Tool (MSDT), which collects information that is sent to Microsoft support.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” Microsoft explained in its advisory for CVE-2022-30190.

One of the more notable aspects of the known exploits designed to target this bug is that, unlike most exploits and phishing templates using weaponized Microsoft Office documents, the attacks observed so far do not rely on macros — and the malicious code is executed regardless of whether macros are disabled.

Here are some other key takeaways regarding this threat:

• The Word template payloads are often on Exchange servers once vulnerable to ProxyLogon.
• The templates often use phrases like ‘POC.’
• The targets are of known strategic interest to China.

Microsoft has released guidance for this remote code execution vulnerability, including workarounds and information on new Defender updates designed to detect and block files and behavior associated with the threat.

Tanium’s cyber threat intelligence analyst perspective

The first thing the Cyber Threat Intelligence team wants to point out — and this sentiment is echoed by many of the industry’s leading cybersecurity firms — is that research is ongoing. The infosec community is currently still testing and probing the various aspects of the vulnerability and exploits designed to target it, and many of those leading companies had the good sense to simply inform customers (and the public) that they don’t know everything yet. Many of them have admitted to receiving mixed signals about the threat — particularly about whether the latest, fully patched version of Office365 is vulnerable to this specific type of attack.

What is clear is that this appears to be a significant threat. The fact that it was only disclosed publicly four days ago and yet we’ve already seen exploit activity in the wild only serves to underscore the fact that the time between zero-day disclosure and exploit activity is shrinking every year.

If there’s a silver lining to all this (and by ‘all this’ we’re referring to the shrinking window between the disclosure of serious security flaws and their subsequent exploitation by the bad guys), it’s that Follina is another prime example of how this industry — on its good days — can mobilize, collaborate, and get mitigations/workarounds in place with a turnaround time that used to be considered impossibly quick.

How Tanium can help

Currently, there is no patch for this vulnerability. Microsoft has released guidance, and Tanium can help scope your organization’s susceptibility to the vulnerability, alert on the exploit behavior pattern, and deploy the mitigation and validate. Step-by-step details can be found in the Tanium Community article.

Tanium has several tools that can help customers quickly and easily find assets impacted by the Follina vulnerability.

Tanium Interact can be used to identify systems that may be vulnerable across the enterprise. It gives responders the ability to ask questions of their endpoints and receive rapid and comprehensive answers.

Tanium Threat Response continuously monitors endpoints for suspicious activity, whether online or offline. There’s currently a Tanium Signal available for customers to detect exploitation of CVE-2022-30190. The signal detects the execution of msdt.exe with command line parameters that are indicative of the exploit as seen and used by malware.

Our cyber threat intelligence team continues to monitor this vulnerability and will share updates as they develop.

---

Check out the Tanium Community article for more details on how Tanium can find and mitigate the Follina vulnerability. For information on other vulnerabilities, visit our Emerging Issues Blog.