Skip Navigation
BlackBerry ThreatVector Blog

Follina Zero-Day Weaponizes Microsoft Help Tool

Updated June 16, 2022: On Tuesday June 14, 2022, Microsoft issued an update to address the CVE-2022-30190 vulnerability. BlackBerry Threat Research & Intelligence recommends installing the appropriate update to address this as soon as possible.

A new zero-day attack goes after Windows® users in an extremely dangerous way.

Someone receiving a malicious file can unknowingly advance the attack by simply hovering over and previewing a malicious file, such as a Microsoft® Word document.

Microsoft is warning organizations to disable certain functionalities until a patch is complete. Let’s look at some key details relating to the exploit.

Office Zero-Day Targets Diagnostic Tool

The attack, dubbed "Follina," targets the Microsoft Windows Diagnostic Tool (MSDT), a utility that helps solve problems for end users. For example, if a user is having trouble connecting to the Internet, they can run this tool to find an automatic fix.

Security researchers at Huntress verified the new zero-day exploit, which takes advantage of the diagnostic tool by using a malicious Microsoft Word document. The malicious file does not need to have macros, so it won’t trigger expected security warnings. If the malicious file is in RTF format, the code will run via the Preview Tab in Explorer, without even having to open the file. Instead, when someone clicks on it, or pre-loads the file via a preview hover, the payload is activated through MSDT.

Microsoft, which is tracking updates under CVE-2022-30190, says the consequences of this attack can be significant:

“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

This type of activity can set the stage for lateral movement across the organization, a key tactic used in cyberattacks such as ransomware.

Mitigating the MSDT Zero-Day

Customers of CylanceOPTICS® can detect the attack pattern on protected systems by downloading a rule from the knowledge base, using the following link: https://support.blackberry.com/community/s/article/98859.

To enable the rule, follow these steps:

  1. Navigate your browser to https://protect.cylance.com/Optics#/settings/detectRules (product license required)
  2. Click Import Rule
  3. Click Browse for a file or drag and drop the .json file to the window
  4. Click Import
  5. Click Validate
  6. Click Publish
  7. Assign it to a ruleset for your devices, following the steps listed here.

Meanwhile, Microsoft says disabling the MS Diagnostics Utility is the current workaround and risk mitigation strategy. Here is how to do it:

  1. Run Command Prompt as Administrator
  2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
  3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

Also, you might want to bookmark this blog page, so you can reference the directions below to undo the workaround when Microsoft issues a patch.  

To re-enable the MSDT after patching:

  1. Run Command Prompt as Administrator
  2. To restore the registry key, execute the command “reg import filename,” where “filename” is the file path to the reg file you want to import.

An alternative mitigation for enterprise environments leverages Group Policy to disable Troubleshooting Wizards. Reported by Benjamin Delpy (author and maintainer of mimikatz), setting the following GPO entry will prevent the zero-day from launching:

  • Computer Configuration -> Administrative Templates -> System -> Troubleshooting and Diagnostics -> Scripted Diagnostics: 
  • Set “Troubleshooting: Allow users to access and run Troubleshooting Wizards” to “disabled”

MSDT Zero-Day Several Weeks Old

Microsoft credits a security researcher known as “crazyman” for discovering the vulnerability several weeks ago, but at the time, Microsoft said it was not a threat. However, a bachelor’s thesis from a student at Brunswick Technical University published in August 2020 indicated malicious code execution was possible using the same URL scheme handler.

After seeing examples of the exploit in the wild at the end of May 2022, Microsoft changed course and issued workaround guidance.

Ismael Valenzuela, BlackBerry Vice President of Threat Research, offers some key context on what this type of zero-day means for organizations of all sizes.

"Any type of vulnerability, or simply a built-in software feature, that allows Office documents to download and execute malware onto victim's systems is an attacker's favorite,” Valenzuela says. “Historically, we have seen attackers weaponizing them as part of large campaigns very quickly, and this is no exception.”

Several ready-to-use tools leverage this attack to create exploits, according to Valenzuela, and many samples are already widely available. This is likely to create long-term cyber risk.

“This vulnerability also bypasses the security restrictions provided by Microsoft, even when macros are disabled, executing the malware without any visible warning to the user,” he says. “Even when Microsoft issues a patch, the fact that many organizations struggle to patch their Office software, sometimes for years, adds to the severity of the problem, since threat actors can use these initial entry vectors for a long time."

That makes this a crucial time to notify your end-users about the risk of unexpected emails and office documents hitting their inboxes. Vigilance is the first line of defense, and users should be made aware that even opening a suspicious email potentially puts the organization at risk now, since the simple act of hovering over a malicious document could be enough to trigger an attack.

Bruce Sussman

About Bruce Sussman

Bruce Sussman is Senior Managing Editor at BlackBerry.