CVE-2022-30190 / Follina: Microsoft Office Zero-Day

Industry: N/A | Level: Tactical | Sources: Huntress & Researcher, Kevin Beaumont

The security community identified a suspicious Word document originating from Belarus on May 27th, 2022, uncovering a zero-day vulnerability named CVE-2022-30190 (aka Follina). Exploitation was observed with Microsoft Diagnostic Tool (MSDT) being leveraged to run malicious PowerShell commands. The vulnerability provides attackers an exploit/attack vector requiring no elevated privileges and macro codes to run. It's also effective for attackers as it's currently not detected by EDR, like Windows Defender. In an analysis by Nao_sec, "The document uses the Word remote template feature to retrieve a HTML file from a remote web server, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell."

Anvilogic Scenario:

• Follina : Attack Chain

Anvilogic Use Case:

• Microsoft Office Code Execution Vulnerability