MS Office Malware 'Follina' Works Even When Macros Disabled

Updated: Jul 22

A zero-day code execution vulnerability has been firmly identified in Microsoft Office software through detailed examination of infected documents by information security researchers.

The vulnerability was given the moniker "Follina," and apparently it has likely been used in various attacks dating back to April 2022. The attack uses functionality built into Office to retrieve an HTML file which then utilizes the Microsoft Support Diagnostic Tool (MSDT) to execute the desired code. [1] Critically, this is an attack type that works regardless of whether Microsoft Word macros have been disabled.


The @nao_sec account on Twitter was the primary method for information delivery for the attack analysis, which included details primarily released toward the end of the past week. The security researchers described how the vulnerable path included the use of ms-msdt to run PowerShell scripts.



At first, the attack only executes code with the permissions of the account belonging to the user who received the malicious document; however, once an attacker had such access many paths exist across commonly used software that allow attackers to escalate privileges to more powerful accounts. Some variants of the exploit cause the user interface for the Microsoft Support Diagnostic Tool to be displayed on Windows systems. Chances are high, though, that many users will ignore that indicator of compromise.


Many suggestions have been made by leading analysts, including the possibility of using Microsoft Defender's Attack Surface Reduction (ASR) rules, placing the configuration item titled "Block all Office Applications from creating child processes" in "Block mode." Alternatively, another possibly viable option is to remove the file type association for ms-msdt so that MS Office cannot access that application[2].

One additional defensive option is to simply train personnel --or reinforce-- that they should be extremely wary of opening any email attachments. Unfortunately, this is only a partial mitigation. If an attacker uses a Rich Text Format (.rtf) file together with the Windows Preview Pane, users may not have to even click on the malicious files for them to run. Mitigating controls such as endpoint detection and response (EDR) and/or advanced security information and event management (SIEM) should be put in place. They are solutions utilizing kernel-level inspection of behaviors (rather than signatures alone) that may at least be able to prevent such malware from causing harm--or they can limit the damage. The attack evades most standard anti-malware solutions, as MS Word pulls the malicious code from a remote template--via web services.


Microsoft has not yet publicly acknowledged the issue, but researchers have observed that the vulnerability appears to have been patched in the most recent versions of Office Insider and the current. However, the issue appears to still be present in Office 2013 and 2016, as well as fully up-to-date versions of Office 2019 and some version of Office 2021. [3]


Reach out to Webcheck Security to explore ways our consultants can provide guidance for your organization to effectively reduce your security risks.


Sources

1] https://twitter.com/CrazymanArmy/status/1531120929321152512

2] https://twitter.com/wdormann/status/1531258175915180033

3] https://twitter.com/DidierStevens/status/1530926363770855427


16 views0 comments