Our Blog

Microsoft Office Zero-Day “Follina

Microsoft Office Zero-Day “Follina" – What is it and how can you prevent it?

Teng Yew Ang Teng Yew Ang
Originally published on June 3, 2022
Last updated on October 9, 2024 Post a comment

There’s a new zero-day vulnerability in Microsoft Office discovered last May 27 by nao_sec, a cyber security research team based in Japan.

They reported that this zero-day flaw called Follina was first documented and submitted from Belarus. It infects and compromises Windows-operated devices with malware embedded into a Word (.docx) or Rich Text Format (.rtf) file.

Here's a rundown of how Microsoft Zero-Day "Follina" works and how you can set up your cyber security to protect yourself against this threat and anything similar in the future.

How the attack works

According to nao_sec, Follina “uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code.”

The Microsoft Support Diagnostics Tool (MSDT) is a Windows feature that collects diagnostic data to send to Microsoft for analysis to patch security problems and bugs. Follina uses the MSDT to run random PowerShell code so the attacker can launch the malware on a system.

Aside from opening the infected attachment or clicking the link, John Hammond from Huntress notes that “this exploit can [also] be triggered with a hover-preview of a downloaded file that does not require any clicks (post download).”

Beaumont claims this should not have been possible since the Protected View (a read-only mode in Microsoft 365 that blocks infected documents from running) will kick in. But that is only the case if the code executes through Microsoft Word. The exploit can still run successfully as an RTF file without triggering any of the device's security software.

How to prevent the attack

The Microsoft Office Zero-Day “Follina” attack is so dangerous because it can seamlessly go undetected by Microsoft's security features under the disguise of a Word or RTF file attachment. It can bypass the multi-level security of email providers like Microsoft Outlook, Gmail, and Yahoo Mail that detect spam, phishing, and malware-infested emails.

Aside from attachments and socially engineered messages, malicious links can also bypass your email and spam filters. And when you click or even hover over the URL, the exploit can activate the malware and inject itself into your computer.

It’s undeniable that attacks like these are getting harder to detect. But the prevention methods below, although basic, can effectively save you from an unknown attack.

Don’t open emails from dodgy senders

There will always be giveaways to phishing emails, from inconsistent content to unusual email addresses. But it’s getting harder to recognise and set them apart from the genuine ones.

If you received an email from an unknown and dodgy sender, delete the email immediately without opening it. This step is critical since there are viruses that can activate once you download and open an attachment or click a malicious link. But other email providers allow scripting that will trigger the virus once you open the dubious email.

If you don’t know the sender, it’s best not to open the email.

Don’t download or open suspicious attachments

Before you open or download that attachment, think well and hard if you know the person or company that sent you the email. Because even if your spam and virus alerts didn’t go off, there’s still a chance that it contains malicious software.

If you don’t know the person contacting you, delete their email immediately. But if you know the sender and are still suspicious about the email, contact the sender or company either through phone or email to verify the email’s authenticity with its attachments.

You can never be too careful when it comes to malware infection. Once you suspect an email, make it a rule of thumb not to open any email attachments, especially if they come in Word, Excel, or PDF format.

Don’t click on embedded links

Being free-willy with your clicks isn’t a good idea when you get emails or text messages from people and organisations you don’t know. Although it’s entirely safe to do it on your trusted website, it can pose a significant risk to click on links from unknown sources.

When you receive an email (especially if it's from someone you don’t know) encouraging you to click a link and you’re doubtful of its authenticity, check the email’s sender address, website domain, company, and content. If you find even one of them suspicious, delete it right away!

Keep your systems up to date

Compared to other operating systems in the market, Windows is the usual target of malicious attacks. That’s why it’s essential to keep it safe by installing the latest patches and having the right security software and applications.

Software companies like Microsoft don’t just release updates because they feel like it.

Whenever they release an update, it’s to fix the security issues from the previous versions that could be vulnerable to exploitation once discovered.

Ignoring these updates is a bad idea and will bring more bad things than good.

It’s a good practice to manually check for updates weekly so you won’t overlook any incoming software updates.

Trust your Spidey Sense

Be wary of external emails with links or documents attached. Even if they say that they’re from a legitimate organisation, there’s still a chance that it carries malware waiting for you to open it and infect your computer.

Expect to see socially engineered emails asking you to open documents or go to websites you’ve never heard about. To be sure, verify every aspect of the email from the address to the company domain without clicking the embedded link or opening the attachment.

Always trust your gut if you were to fall into this situation.

If you find that the email is legitimate, but you’re still having second thoughts, contact the company (if this is an organisation you did business with before) and confirm the contents of the email.

If you have any concerns regarding Microsoft Office Zero-Day "Follina" or you suspect that someone in your company has opened an infected attachment, we can help! Reach out to us ASAP and we can begin troubleshooting. 

IT-Health-Check-Report-669369-optimized-min (1)

Find cyber risks before they find you

Don’t let yourself be a part of the statistic. Take action now and protect your data by booking a complimentary IT Health and Security Check.