Two days ago, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus:

This caught my attention, as Defender for Endpoint missed execution:

The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.

That should not be possible.

That code does this, when decoded:

There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.

Most importantly, we need to name this and give it a crap logo:

I’m calling it Follina because the spotted sample on the file references 0438, which is the area code of Follina in Italy.

In English, So What

It’s a zero day allowing code execution in Office products. Historically, when there’s easy ways to execute code directly from Office, people use it to do bad things. This breaks the boundary of having macros disabled. Vendor detection is poor.

Scope

I’ve tested this on various rigs and it works more common than not. For example, here is Windows 10, not local admin, with macros fully disabled, with Defender, with Office 365 Semi-Annual Channel, casually popping calc on open of a Word document:

However, with the Insider and Current versions of Office I can’t get this to work — which suggests Microsoft have either tried to harden something, or tried to fix this vulnerability without documenting it. This appears to have happened around May 2022. Another entirely possible option is I’m too much of an idiot to exploit it on those versions, and I’ve just messed something up.

The vulnerability still exists in Office 2013 and 2016 for me, other versions may apply.

In the real world, a lot of businesses are on older channels of Office 365 and ProPlus because N-1 policies.

Rich still sees it working in Office Pro Plus from April, with a little video:

Didler Stevens demonstrates the exploit working on a patched version of Microsoft Office 2021:

Detection

I’ve written a Defender for Endpoint query, which you can use if you’re rich and have E5. You can save this as under “Custom detection rules” if you want Defender to alert you. Currently it fully misses detection at this stage.

DeviceProcessEvents| where ProcessCommandLine contains “msdt.exe”| where InitiatingProcessFileName has_any (@”WINWORD.EXE”, @”EXCEL.EXE”, @”OUTLOOK.EXE”)

How might this evolve?

We’ll see. Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking. Microsoft will probably point towards Protected View, however Protected View also applies by default to all macros, and Office macro malware is most definitely a major problem regardless.

Additionally, you can use MS Protocol URI schemes in Outlook emails.

Detection is probably not going to be great, as Word loads the malicious code from a remote template (webserver), so nothing in the Word document is actually malicious.

Other issues

As a side note, the attack surface of MS Protocol in Office is extremely large — here’s a prior blog on it:

As an example, you can send an email with this text as a hyperlink:

ms-excel:ofv|u|https://blah.com/poc.xls

And Outlook will gladly let the user click the hyperlink and open the Excel document. You can even change the text to be something friendly, like “Invoice”. Because the document isn’t attached to the email, and the URI doesn’t start with http or https, most email gateways are going to let that sucker straight through as nothing appears malicious.

….and, when you look at the default Windows URI schemes that Office is allowing, there’s a lot of, er, interesting things.

Microsoft probably want to tighten up webpages embedded as remote templates in Office from loading so many URIs, and also Outlook probably needs another hardening pass. All just my opinions, as always.

Stay safe,

~g