Vulnerability in Microsoft Office products, called “Follina”, that bypasses many of the built-in security protections found.
This vulnerability leverages the Microsoft Diagnostic tool to execute code on an affected machine, and can bypass the usual protections in place to prevent. The user doesn’t even need to be an administrator! More detail can be found here: https://www.theregister.com/2022/05/30/follina_microsoft_office_vulnerability/
The chain of events leading to this is as follows:
- User receives a loaded email with the bogus document
- The document contains a call which initiates the Microsoft Diagnostic tool when opened
- The diagnostic tool spawns a child process which can then execute the code on a user’s machine (usually a PowerShell script)
- This will execute even with macros disabled!
- While the code is run under the user account that opened the document, this opens up another attack path for a malicious actor to elevate privilege.
This is a pretty nasty vulnerability that couldn’t necessarily be prevented by general security hygiene. However, an organisation’s response to this can make all the difference when it comes to your exposure.
If you want to see how Henocon can help with your cybersecurity incident readiness, you can reach out to us here
