“Follina” – Critical Zero-Day Exploit for Microsoft Products
Background
Over the past holiday weekend, a tweet from Tokyo-based security researcher “nao_sec” first identified an interesting upload to antivirus platform VirusTotal[1]. The Microsoft Word (.docx) file, uploaded from an IP address originating in Belarus, was found to contain a novel mechanism for obtaining PowerShell command execution through Office documents via the Microsoft Support Diagnostic Tool (MS-MSDT) troubleshooting feature. This original malware sample is currently being analyzed by members of the cybersecurity community, including Kevin Beaumont, who posted his analysis on Sunday, May 29th and named the sample “Follina”[2].