Follina is a high-severity vulnerability discovered in the Microsoft Office suite of products that is easy to exploit for remote code execution (RCE) attacks. Microsoft has released security updates for all products affected by Follina; however, many unpatched versions of Microsoft Office products are still vulnerable. NIST assigned Follina the Common Vulnerabilities and Exposure (CVE) number CVE-2022-30190 for tracking purposes.
Threat actors exploit Follina through phishing campaigns, directing targeted users to open an Office document containing a Web-link to an attacker-controlled online resource. The Office application automatically fetches these embedded links, and their content is specially crafted to invoke a Microsoft service known as the “Microsoft Support Diagnostic Tool” (MSDT) protocol. MSDT (msdt.exe) is typically used to collect information and report system crashes to Microsoft support, but an MSDT protocol link can also be used to force the execution of attacker-supplied PowerShell commands—without additional user interaction.
An exploit of the Follina flaw may require a user to open a Microsoft Office document such as a Word .docx file containing malware delivered via email or other online communication channels—or even via a USB device. But it may not require a click: if the malicious file is in .rtf format, for instance, the code could run via the Preview Tab in Explorer, without the user ever having opened the file. Either way, the malware payload is activated through MSDT.
Follina was first publicly disclosed as a zero-day vulnerability in a tweet by @nas_sec on May 27, 2022; the first recorded malware sample leveraging Follina in the wild was observed by security researchers on April 7, 2022. However, the Follina flaw had likely been exploited for some time before its discovery. Since the first recorded sighting, cybersecurity researchers have identified a sharp increase in phishing campaigns with attachments leveraging Follina; the vulnerability will continue to be exploited in phishing attacks against unpatched systems.