When a Word Document Becomes a Weapon: Inside the Follina Vulnerability

In recent years, the Follina vulnerability has made headlines for its simplicity and effectiveness in compromising systems. Let's break it down in a way that's easy to understand, even for those without a technical background.

What is Follina?

Follina is a vulnerability affecting Microsoft Support Diagnostic Tool (MSDT), which can be exploited via Microsoft Office documents. Hackers can craft a malicious Word file containing a link to a remote server. When this file is opened, even in "protected view," it can execute commands on your computer. This includes running dangerous scripts like PowerShell, which can install malware or steal sensitive data.

Think of it like this: Opening the malicious document is like giving a stranger the keys to your house, with them unlocking doors you didn't even know existed.

The NIST assigned Follina the Common Vulnerabilities and Exposure (CVE) number CVE-2022-30190.

How Does It Work?

The Follina vulnerability leverages the MSDT utility in a particularly devious way. Here's a step-by-step breakdown of how it works:

1. Malicious Link in Document: The attacker embeds a malicious link within the document, often disguised as a legitimate-looking URL. This link isn’t visible to the victim but is stored in the document’s properties or macros.

2. Exploitation through MSDT Protocol: The document uses the ms-msdt protocol to call the MSDT tool when the victim opens or previews the file. This protocol is designed to troubleshoot issues in Windows but can also execute commands.

3. Code Execution via Macros: In some cases, the malicious link or code is embedded in macros, which are small scripts used to automate tasks in Office documents. Even if macros are disabled, the exploitation doesn’t rely on enabling them—making it more dangerous.

4. Communication with Command-and-Control (C2) Servers: Once the malicious document is opened, it triggers a connection to a remote server controlled by the attacker. This C2 server sends additional commands or payloads to the victim’s machine, enabling the attacker to:

   • Download malware.

   • Execute commands remotely.

   • Steal sensitive information.

5. Execution without User Interaction: The exploitation often happens silently. For example, just previewing the document in Windows Explorer can activate the malicious link, making it nearly effortless for hackers to execute their attack.

   
   

This combination of simplicity and effectiveness makes Follina one of the more troubling vulnerabilities in recent memory.

Who’s at Risk?

Anyone using a Windows computer with Microsoft Office installed could be a target. While security-savvy users might not open suspicious attachments, hackers often disguise these files as invoices, job offers, or even holiday discounts—things that seem innocent and trustworthy.

Real-World Impact

The vulnerability has been actively exploited in phishing campaigns. Hackers have targeted individuals and organizations alike, including government agencies. For example:

• Corporate Espionage: Malicious actors used this vulnerability to steal sensitive information from companies by tricking employees into opening disguised business documents.

• Government Attacks: It has been reported in attacks targeting government agencies, where hackers posed as vendors or officials to deliver the malicious documents.

• Personal Hacks: Everyday users were lured into opening fake invoices or forms, leading to data theft or ransomware installation.

  
  

Even though Microsoft released patches for this issue, many systems remain vulnerable due to outdated software or lack of awareness.

How It Still Affects Users Today

While the specific exploit has been patched, the broader methodology behind Follina is a reminder of how attackers adapt. Similar vulnerabilities can emerge due to:

• Human Error: Not applying updates in time.

• Zero-Day Vulnerabilities: Unknown flaws that hackers exploit before developers can fix them.

• Social Engineering: Cybercriminals’ ability to craft convincing phishing emails continues to evolve.

  
  

For instance, attackers may use similar document-based vulnerabilities that exploit other features in Office tools or system utilities.

Protecting Yourself

Here’s what you can do to stay safe:

1. Update Your Software: Always install the latest security updates for Windows and Microsoft Office.

2. Disable MSDT URL Protocol: This is a quick fix to stop the vulnerability from being exploited.

3. Be Cautious with Attachments: Avoid opening documents from unknown senders, even if they seem important.

4. Disable Preview Pane in Windows Explorer: This prevents the file from executing harmful scripts when you preview it.

5. Use Endpoint Protection Tools: Modern endpoint protection systems often include heuristics to detect suspicious behavior.

6. Educate Yourself: Awareness is the first line of defense. Learn to recognize phishing attempts and double-check any unexpected emails or attachments.

   
   

Preparing for Future Vulnerabilities

To protect against similar vulnerabilities in the future, consider these strategies:

• Adopt a Zero-Trust Security Model: Always verify the source of a file or request, even within your organization.

• Regular Security Audits: Periodically review and update your security measures to adapt to emerging threats.

• Employee Training: Educate users about phishing, social engineering, and how to recognize suspicious documents.

• Utilize Threat Intelligence: Keep track of security advisories and reports from trusted sources like Microsoft and CISA.

  
  

Lessons Learned

The Follina vulnerability highlights the importance of cybersecurity awareness. It’s not just about having antivirus software but also about being cautious online. Simple habits like verifying email senders and avoiding unexpected attachments can make a big difference.

While Microsoft has released patches and mitigations for Follina, vulnerabilities like this remind us how creative hackers can be. Staying informed and practicing good digital hygiene are the best ways to protect yourself and your data.

For technical users, disabling MSDT entirely or using advanced threat protection systems are additional layers of defense. Cybersecurity isn’t just for experts—it’s for everyone.