What do sex extortion email, a rustic village in northern Italy, and a popular Russian radio station have in common? They were all being used to exploit innocent-looking word documents containing the “Follina” vulnerability.

For years, the peaceful village of Follina, known for its marvelous abbey of Santa Maria was losing tourists to its big brother Venice, located only 75 kilometers away. It was the CVE exploitation for the Microsoft Support Diagnostic Tool (or MSDT) vulnerability that changed it all and put Follina on the map.

The zero-day name was given by Kevin Beaumont after he found the code in a sample file reference of 0438, the area code of Follina, a province of Treviso, Italy.

The CVE-2022-30190 exploit, AKA the Follina MSDT, is a zero-day Microsoft Office code execution that allows code execution. It bypassed the Microsoft Defender for Endpoint and operated even when macros are disabled.

If you thought this is the bad news, there is more to come; the “Follina” exploit doesn’t need to be proactively clicked, as it can be executed in preview mode.

Word loads the malicious code from a remote template (webserver). Additionally, It can be transformed through MS Protocol URI schemes in Microsoft 365 emails by sending emails with text as a hyperlink. M365 allows users to click hyperlinks and open the office document. Because the document isn’t attached to the email, and the URI doesn’t start with HTTP or HTTPS, most email gateways are going to let it go straight through as nothing appears malicious.

For Microsoft 365 Exchange online, the Follina vulnerability can be triggered in several methods:

  • By crafting word or *.rtf files with an embedded link.
    • The link pulls an HTML file that triggers the Microsoft Support Diagnostic Tool vulnerability
  • By an HTML file received by email
  • By Accessing the malicious HTML via URL link sent in the mail body

How to ensure none of your employees were exposed to a document containing the Follina exploitation?

 

Companies using FileWall for Microsoft 365 email benefit from the latest release including detection and elimination of the CVE-2022-30190 (or by street name MSDT Follina) zero-day that exploits Office 365 documents sent as attachments to users.

As of today (June 1st, 2022), FileWall CDR (Content Disarm & Reconstruction) mechanism includes the feature above and neutralizes both Microsoft Word and .rtf files.

FileWall users are not required to perform any change on their end as all releases are automatically populated to all tenants.

Deep dive into the Follina Exploitation:

An odd-looking word document, that was identified by Nao_sec, sourced from an IP address in Belarus, turned out to be a zero-day vulnerability in Office and Windows.

It uses the Word remote template feature to retrieve an HTML file from a remote web server, which in turn uses the MS-MSDT MSProtocol URI scheme to load some code and execute some PowerShell.

It was discovered that Microsoft Word is executing the code via MSDT (a support tool) even if macros are disabled.

The document uses the Word remote template feature to retrieve an HTML file from a remote web server, which in turn uses the MS-MSDT MSProtocol URI scheme to load some code and execute some PowerShell.

The remote code execution vulnerability (CVE-2022-30190) exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.

According to an update by Microsoft’s Security Response Center (MSRC) blog from May 30th, 2022, a workaround for the Microsoft Support Diagnostic Tool Vulnerability is to disable the MSDT URL Protocol.

Early signs of the Follina variant was already been seen in April 2022 upload for VirusTotal, where a malicious word document that directly exploited the Follina vulnerability with an unknown payload by impersonating the Russian radio station, “Sputnik”, with the title “invitation for an interview”).

Later on that month, more Follina themed documents were reported in Russian “innocent-looking” files, An attempt to lure a victim using sexual misconduct allegations using an extortion document, and even in a Chinese threat actor TA413 CN APT, who delivered a Zip Archives which contain Word Documents that impersonate the “Women Empowerments Desk” of the Central Tibetan Administration.

The Follina vulnerability was tested and proven to be working and exploitable on a variety of operating systems and Office versions such as:

  • Windows 10, not local admin, with macros fully disabled
  • Microsoft Defender, with Office 365 Semi-Annual Channel
  • Using *.RTF files on all versions of Office 365, including the current channel.
  • Office 2013, 2016, 2019 (with latest patches), 2021, Office ProPlus, and Office 365.
    • By using MS protocol
    • By allowing loading unfiltered from HTML Word templates and Outlook links, and MSDT allowing code execution.
  • Can be called from windows .lnk files
  • Windows 11 (updated to May 2022) + Office Pro Plus (updated to April 2022)
  • Preview pane enabled

The security community has contributed query quotes for event rules and alerts. It can be found on the following GitHub:

  • Defender for Endpoint (need E5 to work).
    • can be saved under “Custom detection rules”.
  • Trellix was written based on the reported code execution in MS Office abusing msdt.exe.
    • This is an Expert Rule for @Trellix for users to detect/block suspicious files abusing this vulnerability.
    • Tested on the following OS platforms: Windows 10 1909 x64 ENS: 10.7.0
    • Creator’s Note: Customers are advised to fine-tune the rule in their environment or disable the signature if there are false positives.
  • Sigma and Aurora Lite – a Microsoft Office code execution vulnerability #3059

To learn more about the MSDT “Follina” exploitation, history, and implications, check out Kevin Beaumont’s detailed report.