Best Top Reviews Online

Zero-Day ‘Follina’ Vulnerability Exposes Microsoft Office to Attack

According to reports, malware loads itself from remote servers and circumvents Microsoft’s Defender AV scanner.


A zero-day flaw in Microsoft Office enables adversaries to execute malicious code on targeted systems by exploiting a flaw in the remote Word template feature.

Japanese security vendor Nao Sec tweeted a warning about the zero-day vulnerability over the weekend.

The vulnerability was dubbed “Follina” by renowned security researcher Kevin Beaumont, who explained that the zero-day code references the Follina, Italy, area code of 0438.

The flaw, according to Beaumont, exploits the remote template feature in Microsoft Word and does not rely on a typical macro-based exploit path, which is common in Office-based attacks. According to Nao Sec, a live instance of the bug was discovered in a Word document template and is linked to an Internet Protocol (IP) address in Belarus.

It is unknown if adversaries have actively exploited the zero-day flaw. Existing proof-of-concept code demonstrates that Office versions ranging from 2003 to the current release are vulnerable to attack. Instead of a patch, security researchers say users can mitigate risk by implementing Microsoft Attack Surface Reduction measures.

Utilization of Follina

Researchers at Nao Sec explain that the malicious template loads an exploit via an HTML file from a remote server along the path to infection.

The loaded HTML employs the MSProtocol URI scheme “ms-msdt” to load and execute a snippet of PowerShell code.

According to Nao Sec, “it uses Word’s external link to load HTML and the’ms-msdt’ scheme to execute PowerShell code.”

Microsoft Support Diagnostic Tool (MSDT) collects information and sends reports to Microsoft Support. This troubleshooting wizard will analyze the gathered information and attempt to locate a solution to the user’s problems.

Beaumont discovered that the vulnerability allows code to execute via MSDT “even if macros are disabled.”

“Protected View does activate; however, if you convert the document to RTF format, it runs without even opening the document (via the preview tab in Explorer), let alone Protected View,” Beaumont elaborated.

Beaumont confirmed that the exploit currently affects older versions of Microsoft Office 2013 and 2016 and “missed execution” of malware endpoint detection. The vulnerability affects even the most recent version of Microsoft Office, according to additional research.

Didier Stevens, an additional security researcher, stated that he exploited the Follina vulnerability in a fully patched version of Microsoft Office 2021, and John Hammond, a cybersecurity researcher, tweeted a working demonstration of Follina.

By appending the endpoint query to Defender, Microsoft users with E5 licenses can detect the exploit. In addition, Warren recommends employing Attack Surface Reduction (ASR) rules to prevent office applications from spawning child processes.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus
380K Kubernetes API Servers Exposed to Public Internet

May 20, 2022

More than 380,000 of the more than 450,000 servers hosting the open-source container-orchestration engine for managing cloud deployments permit access in some form. Researchers have discovered that more than 380,000 Kubernetes API servers provide access to the public internet, making…

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of