“Follina” MSDT Attack Zero-Day Threat

A zero-day attack has emerged that currently has no patch available. The code is executed remotely through the Microsoft Diagnostics Tool (MSDT) and Microsoft Office utilities, namely Microsoft Word. 

This type of threat is known as remote code execution (RCE), which means that once this code is detonated, threat actors can elevate their own privileges and potentially gain full control over the affected environment. The attacker can install programs, view, change, or delete data, or create new accounts if allowed by the user’s rights. Detonating this malicious code is as simple as opening up a Word doc — in preview mode.

The mitigations that are available have not yet been thoroughly reviewed by the IT industry. These workarounds involve changing settings in the Windows Registry which could have serious ramifications as an incorrect Registry entry could“brick your machine” making it unusable.

We ask all businesses to take extreme vigilance – do not open or click on any links that you are not expecting and in this case, Microsoft 365 documents from sources you were not anticipating to receive attachments from. Even when the sender is known, be very cautious before opening any attachments.  Ask yourself – was this email expected?

The team at Nucleus is actively monitoring this vulnerability and the mitigation of it. Clients using our new Managed IT Security Services are protected against this threat. If you are concerned about this attack or your businesses’ cybersecurity defence, please contact us. 

Resources

Microsoft Security Response Centre

Huntress