Follina MSDT Attack: What We Know So Far

On May 27th, Nao_sec posted to Twitter regarding a vulnerability in Microsoft Word. Since then, security researchers have been diving into the vulnerability to understand the potential exploit.

The vulnerability uses Word to call MS-MSDT URL Protocol, which when exploited allows for the threat actor to call executables or files on the victim's machine. 

MSDT is the Microsoft Support Diagnostic Tool. It is used to diagnose and report information to Microsoft. The tool will look at information gathered and attempt to resolve issues. This tool is commonly seen when troubleshooting network access or program compatibility for applications.

This vulnerability is reportedly still able to run even if macros are disabled. 

How Does the Follina MSDT Attack Work? 

.docx files are essentially zip containers with multiple files inside, that contain details of formatting, styles, etc. along with the document contents. When you unzip a .docx, you can view all the resource files that are used to build the word document. From here, the resource file ‘document.xml.rels’ can be edited to point towards a malicious web server rather than a harmless bitmap inside the word file.

On the web server that is being pointed at, there is a payload file. That file calls the MS-MSDT URL Protocol. 

Once the MS-MSDT URL Protocol has been called, it can be specified for it to call specific applications. We have seen in demonstrations it set up to call Paint, Calc, or even CMD. 

In this case, we have chosen Powershell. 

As you can see we have base64 encoded this - out attack here is to download a payload from a website and execute it, but we could also view change or delete data on the host device - as you know PowerShell is powerful.

This video shows how this vulnerability can be exploited to use PowerShell to download and execute a file. 

How Can You Solve This Problem? 

Microsoft has come out with recommendations to disable the MSDT URL protocol as well as ensuring users with Microsoft defender antivirus should turn on cloud-delivered protection and automatic sample submission. They have also mentioned that customers using Microsoft Defender for Endpoint can enable a specific rule to block Office apps from creating child processes. 

Here at Threatlocker, we recommend that all customers ensure they have machines secured as quickly as possible. From initial internal testing, locking down your machines will stop unknown applications from running, however, we also recommend ensuring the default ringfencing™ policies are applied to your account. For example, the default ringfencing™ policy for PowerShell blocks access to the internet, apart from specific IP’s that you have chosen. This is a huge step toward stopping PowerShell from being weaponized, as shown in the video earlier. 

Threatlocker is updating its suggested office ringfencing™ policy to also block access to MSDT. This should stop the attack before MSDT can call any other applications. 

As we learn more about this vulnerability, we will endeavor to keep you up-to-date. If you would like help ensuring your environment is secure, please feel free to reach out to our Cyber Hero Team today.