Microsoft Follina Exploit & Mitigation Steps
Microsoft Follina Exploit (CVE-2022-30190)
A recently announced exploit in Microsoft Support Diagnostic Tool (MSDT) allows threat actors to execute code on all versions of Windows using multiple versions of Office. The primary exploit path is through Microsoft Office products, but the exploit can also be triggered without opening the weaponized file. This exploit could allow threat actors to read, edit, or delete data the application has access to. If the privilege levels are high enough for the application, the code execution could create new user accounts.
Threat actors can create a URL link to send through email, either as a URL in the email or an attached Word document. The URL triggers the Microsoft Support Diagnostic Tool (MSDT) and has the support tool download the threat actor’s code from a remote website. While Microsoft’s FAQ in the guidance document said Protected View would prevent exploitation, third-party researchers found that Protected View was easily bypassed.
- Method one for the bypass was mousing over the document with the Preview pane option enabled in Windows Explorer or Outlook. Viewing the URL in Preview Pane triggered the exploit via the URL prefetch option.
- The second option was to rename the Document file to have the .rtf extension. Then changing the file extension bypassed Microsoft Word’s Protected View.
Lastly, macros do not need to be enabled for this exploit to work.
Coretek is working with customers to inform them of the current exploit and recommendations.
1 - Disable MSDT URL Protocol
Coretek advises customers to follow Microsoft’s recommendations of disabling MSDT URL Protocol. The directions are listed in the Microsoft “Guidance for CVE-2022-30190” linked to below.
2 - Disable Preview Pane
It is also recommended to disable the Preview Pane in Outlook and Windows Explorer since it allows for zero-click exploits.
3 - Monitor Microsoft Defender
Microsoft Defender version 1.367.719.0 or newer can detect the attack and take action to terminate the exploit’s call out. The three malware families associated with this exploit detected by Defender are:
Defender will also alert using the following alert names:
- Suspicious behavior by and Office Application
- Suspicious behavior by Msdt.exe
If any of the above show up in your SIEM or Defender logs, they should be investigated as possible exploit attempts.
References & Additional Resources
If you are a Coretek customer, have any questions about Coretek remediation actions or your support agreements with Coretek, or are a visitor who would like more information, please use the button below to get in touch.