MSDT Follina vulnerability

Table of contents

What is Microsoft vulnerability MSDT-Follina?

A critical vulnerability in Microsoft Office has been disclosed on May 30, 2022. This gap can be found under the synonym "Follina" and is listed under CVE-2022-30190. What is particularly critical here is that the attack complexity is classified as low. The gap can therefore also be exploited by inexperienced attackers and lead to potentially high damage on the affected system.

General information about MSDT-Follina

The vulnerability uses the Microsoft Support Diagnostic Tool (MSDT) [], which is normally used to collect diagnostic data and send it to Microsoft. However, affected files reload malicious code or components via the Internet and execute them on the system with the existing user rights. This allows the attacker to gain full control over the system and the data available on it and manipulate it. Depending on whether other vulnerabilities are present, further attacks such as privilege escalation can occur.

You want to avoid the consequences of a hacker attack on
your IT system?
Test your IT now with a professional penetration test!
To the penetration test

MSDT-Follina Technical Information

The affected document contains an https URL that is downloaded. This causes Java script code to be executed, which in turn references a URL with a reference to an ms-msdt link. The tool described above is called with the passed parameters, reloads malicious code. This is then invoked and executed via Power Shell. It is particularly insidious that these are not macros, and classic macro protection offers no help against this attack!


Until a patch is available, the following workaround is recommended.

The MSDT URL protocol used in the attack should be disabled, so it is no longer possible for the links used to be called and executed automatically.

1. open the command line as administrator

2. creating a backup of the registry key: HKEY_CLASSES_ROOT\ms-msdt using command:
					reg export HKEY_CLASSES_ROOT\ms-msdt filename
3. delete the registry key by means of:
					reg delete HKEY_CLASSES_ROOT\ms-msdt /f
If the operation should be undone, the saved key can be restored with the following command:
					reg import filename

So far, there are no known negative effects on productivity, but adequate testing and trials should be conducted at this point as well.

Details can be found at the link.

Alternative solutions

Furthermore, Microsoft recommends that users of "Microsoft Defender for Endpoint Security" enable the rule "BlockOfficeCreateProcessRule", this prevents the creation of subprocesses by Office applications.

In addition, Microsoft Defender from build 1.367.719.0 or newer detects such attacks via its signature files.

Further steps

In addition, all employees can be informed and sensitized to be particularly vigilant when receiving office files. The sender should be verified and the content of the file expected and known. If ways of sensitizing and informing employees are already known, this information should be distributed accordingly.

As soon as further information from Microsoft is available, especially regarding patches or updates, we will inform you accordingly or post it on this website. The vulnerability has only recently become known, so that further attack scenarios may develop and further measures may become necessary. Affected parties should therefore monitor further developments. In case of changes, we will inform you on our website and continuously adapt the information on this advisory.

Increase the security of your IT now!
You will receive detailed advice from us!
Contact Now

Table of contents

Do you want to be part of our team?