On May 27, 2022, an interesting Microsoft Word doc was uploaded to VirusTotal by an independent security research team called nao_sec. The Word doc contains built-in code that calls an HTML file from a remote source that in-turn executes more (malicious) code and Microsoft Defender for Endpoint misses detection.
Two days later, May 29, Kevin Beaumont publishes an article describing the behavior of this Word doc, and deems this a new 0-day vulnerability in Office/Windows products.
What Causes the Follina Vulnerability?
At a high level, the document uses Word’s remote template feature to retrieve an HTML file, and that file uses ms-msdt MSProtocol URI scheme to load code and execute PowerShell. In simpler terms, msdt is used as a backdoor to a target machine to do whatever the attacker chooses. This is done WITHOUT macros – the typical method of delivering malicious payloads via Office documents, and the way most defenders are used to planning for malicious Microsoft docs.
Samples of Follina-exploit documents were seen as far back as April 2022, which were reported but ignored by Microsoft. It turns out that all versions of Office are affected.
Again, the crux of this issue is that MSDT is a whitelisted service within Microsoft products which allows an attacker to do anything they want using malicious Office documents. There is no patch, there is no (initially) out-of-the-box detection within Microsoft Defender.
How Does Logz.io Cloud SIEM Detect Follina?
Logz.io has pushed a detection for exploitation attempts of this vulnerability to all customer SIEM accounts:
Rule name: CVE-2022-30190 – Potential Follina Exploitation
This rule depends on DeviceProcess events logged by Defender. This is necessary for the granular monitoring required to detect such an attack.
Sysmon may be a solid (free) alternative for picking up process-level logging, but is very voluminous. As additional research is conducted, it may become clear that msdt.exe is used by products/tools outside of the scope of Office products. “wget” (a command-line http fetcher like cURL) has already been proven to have the capability to exploit this vulnerability without any Office products installed.
Optimizing the volume of Sysmon or Defender can be accomplished via collaboration with Logz.io’s customer success and security teams, or independently using Logz.io’s drop-filter feature.
Be aware that this vulnerability may be leveraged by attackers for years to come, and be on the lookout for a patch in the coming days or weeks (fingers crossed).
Logz.io customers can enable Cloud-based SIEM today to take advantage of our detection capabilities against this vulnerability. Learn more here.