The recent notification by Microsoft about the exploitation dubbed “Follina” shows how desperate cybercriminals are to take advantage of a zero-day flaw with an official patch that has not yet been released. However, cyber experts have suggested disabling the MSDT protocol and using unofficial patches until Microsoft releases an official one.

The attackers have used salary increase promises to lure employees to open malicious documents via phishing e-mails. Once the document is opened, a PowerShell script is deployed as the final payload.

While malicious e-mail attachments are nothing new, there is reason to be particularly cautious when it comes to the new zero-day vulnerability, dubbed Follina, found in Microsoft Word, for which the tech giant almost immediately issued a workaround.

"The reason this vulnerability is so serious is that all a user needs to do is open the document. In some cases, just previewing a document in Windows Explorer will trigger the exploit,” said Johannes Ullrich, dean of research for SANS Technology Institute and founder of the internet storm center. “This has the potential to infect many users who are not super careful.”

When a user opens a malware-infected document, Follina bypasses warnings which puts organizations at risk. It is not as though organizations can simply ban attachments or tell users not to open them; attachments are common and necessary to getting work done in today’s digital workplace.

The attackers are harvesting large amounts of information from the infected machines. Since the collected data can be used for initial access, it is suspected that the aim of this campaign is reconnaissance.

The attack gathers passwords from a large number of browsers including Chrome, Firefox, Edge, Opera, Yandex, Vivaldi, and CentBrowser.

Additional targeted apps include Thunderbird, Netsarang session files, Windows Live Mail contacts, WeChat, Putty, Navicat, RAdmin, WinSCP, and Microsoft Office.

“At this point, most users know about the dangers of malicious attachments, but they still need to open them to do business,” said Ullrich, adding that “employees receive at least a few attachments each week while conducting business.”

This vulnerability promises to “make an already popular exploit vector a lot easier to execute,” he said. “The damage could be significant, and the impact is global.”

Attackers have exploited the flaw, using it “in targeted attacks for at least a month; at first, it was not taken seriously by Microsoft,” said Ullrich.

Microsoft products provide “an attractive attack surface, as employees are constantly working with various documents as part of their job responsibilities,” Anton Ovrutsky, adversarial collaboration engineer at LARES Consulting said. “Although Microsoft has implemented several hardening changes—including disabling macro functionality by default in the latest Office versions—this recent zero day demonstrates not only the large attack surface found in Office but also the need to properly harden and monitor Office applications on the endpoint level from a detection and response standpoint.”

River Run immediately sprang into action to ensure that we were mitigating risk for our clients as Microsoft continues to work on an official patch while promoting work arounds and endpoint and e-mail security.

All River Run R-Security clients and those employing RMM are currently protected. River Run has recommended RMM to all clients as well as endpoint and e-mail protection. As these zero-day events continue to occur, we continue to inform clients that are not employing RMM and R-Security that we cannot protect them properly and that they are taking on that risk.

If you do not currently employ a proper zero-day security posture, River Run can help.

“Bad actors have been exploiting the Follina zero day vulnerability found in Microsoft’s support diagnostic tool since April,” Harish Akali, CCOT at ColorTokens, said. Of additional concern, Microsoft Office 2019/2021, is “one of the most widely used software suites,” and the vulnerability is found in even patched versions.

To alleviate the threat, Microsoft recommends “disabling MSDT URL protocol,” which prevents troubleshooters being launched as links including links throughout the operating system.” The company points out that “Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters.”

Alex Ondrick, director of security operations at BreachQuest, called Microsoft’s handling of the flaw “concerning, but not surprising: According to, Microsoft seems to be aware that ms-msdt has a large attack surface and affects a large volume of its customers. Given the historical context of it, I suspect that Microsoft is meticulously working to get this zero day under control.”



Share this article