Follina Vulnerability Detection: New Microsoft Office Zero-Day Exploited in the Wild

Cybersecurity researchers turn the spotlight on a novel zero-day vulnerability in Microsoft Office seen in the wild. On May, 27, Follina zero-day flaw was first documented and reported to have been submitted from Belarus. According to the research, the newly discovered Microsoft Office zero-day vulnerability can lead to arbitrary code execution on compromised Windows devices. 

Detect Follina Vulnerability Exploitation Attempts

To enable cybersecurity practitioners to detect Follina zero-day exploitation attempts, SOC Prime Team has released a set of dedicated Sigma rules available in the Detection as Code platform and tagged accordingly. To access this rule kit, make sure to log into SOC Prime’s platform with your existing credentials or create an account:

Sigma rules to detect attempts to exploit Follina Microsoft Office zero-day vulnerability

All detections are compatible with multiple security solutions supported by SOC Prime’s platform and are aligned with the MITRE ATT&CK® framework for enhanced threat visibility addressing the Defense Evasion tactic with the Template Injection (T1221) as its primary technique. 

Teams can also take advantage of another Sigma rule that can additionally help identify the traces of this latest cyber-attack related to the Follina vulnerability exploit:

LOLBAS msdt (via cmdline)

The above-mentioned Sigma rule can be used across 23 SIEM, EDR, and XDR solutions and addresses the Signed Binary Proxy Execution (T1218) technique from the Defense Evasion tactic arsenal based on the MITRE ATT&CK framework.

Click the View Detections button to reach the comprehensive collection of detection algorithms enabling teams to continuously keep abreast of emerging threats. Cybersecurity researchers and Threat Hunters looking for new ways to boost their professional skills while contributing to the collaborative expertise are welcome to join the ranks of our Threat Bounty Program. By joining this crowdsourcing initiative, cybersecurity professionals gain an opportunity to monetize their detection content while contributing to a future-proof cyber defense.

View Detections Join Threat Bounty

Follina Vulnerability Analysis

Hard on the heels of the critical RCE vulnerability in Microsoft SharePoint Server tracked as CVE-2022-29108, another flaw compromising Microsoft’s products comes to the spotlight. The novel Microsoft Office zero-day vulnerability dubbed Follina emerges in the cyber threat arena when the Japanese cybersecurity research team nao_sec spotted a malicious Word file uploaded to VirusTotal from the Belarusian IP address. This Word document triggers an infection chain by loading an HTML file from a remote template and further on leads to running the malicious PowerShell code to infect the system. 

What aggravates the problem is that Microsoft Word runs the malicious code via Microsoft Support Diagnostics Tool even with the disabled macros. What’s more, Microsoft Defender for Endpoint hasn’t been able to detect the flaw according to the research by Kevin Beaumont who gave a name to this new Microsoft Office code execution vulnerability. The bug affects a number of Office versions, such as 2013 and 2016, including the patched 2021 version with other ones being potentially compromised. To promptly respond to a threat, cyber defenders are releasing Follina vulnerability POC code samples that help identify exposure and are already publicly available, for instance on GitHub.

Since the vulnerability is unpatched and exploited in the wild, immediate action from the security vendors is needed. As one of the recommended Follina vulnerability mitigation measures, Office users are recommended to apply the MS Protocol URI schemes in Outlook emails.

Progressive security leaders are constantly looking for future-proof and cost-efficient solutions to accelerate cyber defense capabilities and increase the organization’s cybersecurity posture. Leveraging SOC Prime’s Detection as Code platform helps teams extract more value from their SIEM and XDR investments and significantly increases cybersecurity effectiveness.