CVE-2022-30190, nicknamed Follina, is a remote code execution vulnerability in the Windows Microsoft Support Diagnostic Tool (MSDT), rated CVSS v3.1 7.8 (High). It let an attacker execute arbitrary code by luring a user into opening a malicious Microsoft Office document — and, crucially, it worked without macros and without the usual "Enable Content" prompt. That combination made Follina an unusually clean phishing payload and a wake-up call about how Windows URI protocol handlers can be abused from documents.
Timeline and impact
A malicious sample was uploaded to VirusTotal and spotted by the research group nao_sec in late May 2022. Researcher Kevin Beaumont analyzed it and coined the name Follina, after the Italian town whose telephone area code (0438) appeared in the sample. Microsoft acknowledged the issue as CVE-2022-30190 on May 30, 2022, published a registry workaround, and shipped a full fix in the June 14, 2022 Patch Tuesday updates.
The impact was significant because the technique sidestepped the defenses users and defenders had been trained to rely on. Office macro warnings were irrelevant — Follina used no macros. Even Protected View offered incomplete protection, and in some configurations the payload could fire from the Explorer preview pane via an RTF file, meaning a user did not necessarily have to fully open a document. Within days of disclosure, multiple threat actors folded Follina into phishing campaigns. The lasting lesson is that the attack surface of "opening a document" is far larger than the document format itself: it includes every external template it can fetch and every OS protocol handler that content can invoke.
Technical root cause
Office documents can reference a remote HTML template. Follina abused this by having a document load attacker-controlled HTML, which in turn invoked the ms-msdt: URI scheme. That scheme is a Windows protocol handler that launches MSDT, and MSDT accepted parameters that were passed to a diagnostic that ultimately executed a command line — including PowerShell — supplied through the URI.
Conceptually, the chain looked like this:
Word doc -> fetches remote HTML template
remote HTML -> invokes ms-msdt: URI with attacker parameters
Windows -> launches MSDT (msdt.exe) with those parameters
MSDT -> executes the supplied command (e.g. PowerShell)
The defect is that a document could reach a powerful OS protocol handler and pass it a parameter that MSDT treated as executable content, all without a macro or an elevation prompt. Because the malicious logic lived in a remotely fetched HTML template rather than in the document body, static inspection of the document alone could miss it, and the ms-msdt: invocation ran under the user's context as soon as the content loaded.
The June 2022 update fixed how MSDT handles the URL protocol so that attacker-supplied parameters can no longer be turned into arbitrary command execution. Before the patch, Microsoft's interim workaround was to delete the ms-msdt URL protocol registry key so that documents could not invoke the handler at all.
How to detect if you are affected
- Identify unpatched Windows systems. Follina affected Windows systems where MSDT was present and the June 2022 (or later) fix had not been applied. Confirm the patch level across workstations and servers.
- Hunt for the invocation pattern. Look for
msdt.exebeing spawned by Office applications (winword.exe,outlook.exe) — a parent/child relationship that is almost never legitimate — and for MSDT command lines containingPCWDiagnosticor embedded PowerShell. - Inspect documents for remote templates. Office files that reference an external HTML template from an unexpected domain, and RTF files that trigger on preview, are strong signals.
Where document-processing or Windows-based services ship as container images, Safeguard's container security scanning inventories OS and component versions per layer so an unpatched build is caught in the pipeline.
Remediation and patched versions
- Apply the June 14, 2022 Windows updates (and later cumulative updates) for your builds. This is the complete fix and supersedes the interim workaround.
- If you cannot patch immediately, apply the workaround: back up and then delete the
ms-msdtURL protocol registry key so documents cannot invoke the handler. Reverse this once the patch is in place if MSDT functionality is needed. - Harden the document path. Enforce Protected View and Office macro policies, block or restrict Office applications from spawning child processes via attack-surface-reduction rules, and filter inbound documents that reference external templates.
- Verify across the fleet. Confirm the patch level everywhere; a single unpatched endpoint opening a phishing attachment is enough for initial access.
How Safeguard surfaces and helps you respond to Follina
Follina is an operating-system vulnerability, not a package in a lockfile, so the honest defense is patch velocity plus endpoint hardening — and both hinge on inventory you can trust. Safeguard's model maps onto that directly: findings enriched with CISA KEV and EPSS exploit signals so an actively phished RCE is prioritized above score-sorted noise, and continuous inventory so "which builds are still unpatched?" is a query rather than a scramble. For Windows-based workloads you ship as images, software composition analysis and container scanning resolve component versions across every layer, and the Safeguard CLI lets you gate a build in CI before a lagging image ever reaches production.
For the artifacts you build, automated fix pull requests move version bumps and rebuilds through your pipeline, and Griffin AI explains the subtlety that made Follina dangerous — that "no macros" did not mean "safe," because the real execution path ran through an OS protocol handler. If you want to see how exploit-aware prioritization stacks up against a score-only tool, our comparison of scanners covers it.
Follina proved that opening a document can reach deep into the operating system. The countermeasure is the familiar one: patch fast, harden the endpoint, and keep an inventory you can query under pressure.
Begin at app.safeguard.sh/register, and find integration guides at docs.safeguard.sh.