Threat Research

Detect the Follina MSDT Vulnerability (CVE-2022-30190) with Qualys Multi-Vector EDR & Context XDR | Qualys Security Blog

Securonix

Follina (CVE-2022-30190) is a remote code execution vulnerability in Microsoft Office that can be exploited without macros by loading an external reference which ultimately invokes the MSDT tool to run PowerShell. The article outlines the attack flow, the technical details of how ms-msdt is used, and how Qualys Multi-Vector EDR and Qualys Context XDR can detect and help remediate the threat. Hashtags: #Follina #CVE-2022-30190

Keypoints

  • Follina (CVE-2022-30190) is a macro-free remote code execution chain that affects all Microsoft Office versions 2013 and newer on supported Windows OS, including Windows Server 2022.
  • The attack can be delivered via a malicious Word document or HTML embedded content, without requiring macros, by leveraging external references to trigger execution.
  • The exploitation uses the ms-msdt: URL protocol handler to run PowerShell script code, with MSDT being a legitimate Microsoft troubleshooting tool.
  • Base64-encoded PowerShell payloads are commonly observed, decoded at runtime to execute commands, and may download additional payloads such as remote access tools.
  • Qualys Multi-Vector EDR detects the Follina attack chain and maps detections to MITRE ATT&CK techniques, while Qualys Context XDR correlates Windows Sysmon-like events to raise alerts.
  • MITRE mapping includes Initial Access (Phishing: Spearphishing Attachment), Execution (PowerShell), and Exploitation (Exploitation for Client Execution).
  • Recommendations include applying patches when available, blocking msdt.exe via AppLocker or Attack Surface Reduction rules, and enabling Qualys EDR/XDR for affected systems.

MITRE Techniques

  • [T1566.001] Initial Access – “Phishing: Spearphishing Attachment” – “The attacker sends an email containing a malicious Microsoft Office document (.docx, etc.) to the targeted user.”
  • [T1059.001] Execution – “Command and Scripting Interpreter: PowerShell” – “This base64 encoded PowerShell script code (fig.4, in blue) is decoded (in white) to:”
  • [T1203] Exploitation – “Exploitation for Client Execution” – “ms-msdt: URL protocol handler, to execute PowerShell script code.”

Indicators of Compromise

  • [URL] context – hxxp://141.98.215.99/color.html (external resource that serves malicious content used to push the ms-msdt payload)
  • [IP] context – 141.98.215.99 (host serving the external malicious reference)
  • [Filename] context – PCW.debugreport.xml, ResultReport.xml (diagnostic files referenced in post-exploitation artifacts)
  • [SHA256] context – 3aa16a340aacc5aecbdb902a5f6668f117b62e27966ab41f8a71a1dd1a08f8bd, fe43f3ea0146e107521b6b81c53ee4eb583cce8bad69f39072134f53081738dd, and 2 more hashes

Read more: https://blog.qualys.com/product-tech/2022/06/14/detect-the-follina-msdt-vulnerability-cve-2022-30190-with-qualys-multi-vector-edr-context-xdr