Hackers are exploiting a vulnerability in Microsoft Office that enables them to fetch malicious code without detection in a multi-stage attack.
The exploit, dubbed named Follina, abuses the remote template feature in Microsoft Word. Researcher spotted that the zero day exploit embedded in a Word document first loads a HTML file from a remote webserver.
It then uses the MSDT diagnotics tool handler, which is registered for the MS Office protocol, to execute Windows PowerShell code. The exploit works even with Office macros, traditionallyused to run malware, disabled.
Microsoft’s Defender for Endpoint does not currently detect Follina, and the exploit works on the older Office 2013 and 2016 variants.
Another researcher, Didier Stevens, discovered that Follina MSDT exploit working on a fully patched version of Office 2021.
Users with an Office E5 licence can add a Defender for Endpoint query to alert about the exploit, which currently passes the anti-malware tool undetected.
This ZeroDay exploit was discovered by Japanese security vendor Nao Sec, submitted from Belarus.