Metacurity

Share this post

Malicious Actors Use 'Follina' Zero Day Flaw in Microsoft Office for Remote Code Execution

metacurity.substack.com

Malicious Actors Use 'Follina' Zero Day Flaw in Microsoft Office for Remote Code Execution

Latest EnemyBot variants now target CMS and Android, Interpol busts three Nigerian men for targeting oil and gas companies, University credentials advertised on cybercrime forums, much more

Cynthia Brumfield
May 31, 2022
∙ Paid
1
Share
Share this post

Malicious Actors Use 'Follina' Zero Day Flaw in Microsoft Office for Remote Code Execution

metacurity.substack.com

Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Photo by Jeremy Bezanger on Unsplash

A new Microsoft Office zero-day vulnerability referred to by the infosec community as Follina and now assigned the identifier CVE-2022-30190 is being used in attacks to execute malicious PowerShell commands via Microsoft Diagnostic Tool (MSDT) simply by opening a Word document.

This new zero day enables a new critical attack vector leveraging Microsoft Office programs. It works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts. Security researcher Kevin Beaumont deobfuscated the code and said it is a command-line string that Microsoft Word executes using MSDT, even if macro scripts are disabled.

Multiple security researchers have analyzed a malicious document shared by a security researcher who goes by @nao_sec on Twitter and success…

Keep reading with a 7-day free trial

Subscribe to Metacurity to keep reading this post and get 7 days of free access to the full post archives.

Already a paid subscriber? Sign in
Previous
Next
© 2023 DCT Associates
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing