Malicious Actors Use 'Follina' Zero Day Flaw in Microsoft Office for Remote Code Execution

Latest EnemyBot variants now target CMS and Android, Interpol busts three Nigerian men for targeting oil and gas companies, University credentials advertised on cybercrime forums, much more

Photo by Jeremy Bezanger on Unsplash

A new Microsoft Office zero-day vulnerability referred to by the infosec community as Follina and now assigned the identifier CVE-2022-30190 is being used in attacks to execute malicious PowerShell commands via Microsoft Diagnostic Tool (MSDT) simply by opening a Word document.

This new zero day enables a new critical attack vector leveraging Microsoft Office programs. It works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts. Security researcher Kevin Beaumont deobfuscated the code and said it is a command-line string that Microsoft Word executes using MSDT, even if macro scripts are disabled.

Multiple security researchers have analyzed a malicious document shared by a security researcher who goes by @nao_sec on Twitter and success…