New MS Office zero day evades Defender

'Follina exploit' loads malware from remote servers

Malware writers are exploiting a vulnerability in Microsoft Office that enables them to fetch malicious code without detection in a multi-stage attack, security researchers have found.

The exploit, which researcher Kevin Beaumont named Follina, abuses the remote template feature in Microsoft Word.

Japanese security vendor Nao Sec first reported the zero day, which it said was submitted from Belarus.

Nao Sec spotted that the zero day exploit embedded in a Word document first loads a hyper text markup language (HTML) file from a remote webserver.

It then uses the MSDT diagnotics tool handler, which is registered for the MS Office protocol, to execute Windows PowerShell code.

Beaumont said that the exploit works even with Office macros, traditionally used to run malware, disabled.

Microsoft's Defender for Endpoint does not currently detect Follina, and Beaumont was able to confirm that the exploit works on the older Office 2013 and 2016 variants.

Another researcher, Didier Stevens, managed to get the Follina MSDT exploit working on a fully patched version of Office 2021.

Beaumont said he was unable to get the exploit working with Current and Insider preview versions of Office.

He said this indicated that Microsoft had either fixed the vulnerability around May this year, or that he was "too much of an idiot" to exploit the vulnerability on the newest Office versions.

Users with an Office E5 licence can add a Defender for Endpoint query to alert about the exploit, which currently passes the anti-malware tool undetected.

Earlier this year, security vendor SySS documented how handlers for the MS Office protocol could be abused to open files directly, via specially crafted uniform resource location links.

A standard installation of MS Office installs 86 such handlers, Matthias Zöllner of SySS discovered, opening up possible abuse scenarios for attackers withouth attaching malicious documents to phishing emails for example.

