Zero-Day Threat Bypasses MS Defender Warnings Allowing Remote Code Execution

Published: June 14, 2022 on our newsletter Security Fraud News & Alerts Newsletter.



Security researcher, Kevin Beaumont, discovered a serious zero-day flaw within Microsoft Office in late May 2022. Nicknamed Follina, this exploit went unnoticed by Windows’ Antivirus solution, Defender. In this case, it targets the Microsoft Windows Diagnostic Tool (MSDT). It uses a malicious Microsoft Word document to trick users into interaction, and as the file contains no macros, it triggers no security warnings, making especially dangerous.


This MSDT tool is responsible for allowing users to run diagnostics and troubleshoot problems within the operating system, however, the zero-day exploit takes full advantage of this loophole, leaving users vulnerable to malware attacks. If the attacker manages to be successful, it allows them to run remote code in MS Office products.


Attachments with malware come in all shapes and sizes these days. Historically the most common are .exe and .doc files. However, no type of file is excluded anymore. In this case, it was a .doc and just by changing the file type to .rtf, it doesn't even require a user to open the file. All that's necessary is for the end user to use the “Preview Tab” in Explorer to activate it. Therefore, whenever someone simply clicks to preview the file, the malicious payload is activated through MSDT. However, as a .doc, it takes advantage of the MS Word remote template functionality to retrieve an HTML from a remote webserver.



Microsoft has commented that the best workaround to prevent a malicious attack is to currently disable their MS Diagnostics utility. Check with your IT department to determine how this is done. In the meantime, don’t preview attachments if you are not 100% certain they are safe. As always, ask your manager or IT department, if you are unsure. Keep antivirus on your devices updated at all times, as well.


Currently, there is no patch for the Follina exploit, which is why it is a zero-day flaw. It’s known and there is no patch. Cybercriminals actively take advantage of these types of issues, because they know there is no real way for users to stop them; except to keep their eyes peeled for potential risks do what they can to mitigate the problem. This flaw (CVE-2022-30190) affects Windows 10 and later (including Windows Server 2019) and creates a serious issue within the security of Microsoft Office.


Keep up to date: Sign up for our Fraud alerts and Updates newsletter Want to schedule a conversation? Please email us at advisor@nadicent.com

0 views0 comments