View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 13, 2022updated 17 Aug 2022 8:44am

Criminals continue to exploit the Follina Microsoft Office 365 vulnerability

Microsoft appears to have taken further action to mitigate the impact of a problematic and widespread vulnerability.

By Claudia Glover

The Follina vulnerability in Microsoft Office is still being exploited by criminals a month after a patch that supposedly fixed the problem was released by the company. Microsoft appeared to take further action as part of yesterday’s Patch Tuesday security update, but the vulnerability is likely to continue to be used by hackers, particularly state-sponsored groups.

Microsoft has taken further measures to mitigate Follina. (Photo by wellesenterprises/iStock)

Follina, a vulnerability in the MSDT protocol tool used by Office, was first uncovered in April, and gives criminals who exploit it the ability to run arbitrary code on an infected system, meaning it can be used to take control of those systems and deliver malware. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” says a post on Microsoft’s Security Response Center (MSRC). “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.” 

Microsoft waited two months to take action on Follina, releasing a patch as part of June’s Patch Tuesday. But though this tackles the way criminals can access systems, it does nothing to stop the execution of malicious code within Office. Analyst Kevin Beaumont, who coined the name Follina, said that “by not fixing how MS Protocol loads in Word templates and Outlook, the attack surface remains large meaning this issue will happen again.”

Following this month’s Patch Tuesday, Beaumont took to Twitter to report that updates released by Microsoft appear to be a step in the right direction.

The Follina vulnerability is still being exploited

Regardless of the effectiveness of the patch, the sheer number of Office 365 users creates a problem when combatting Follina. Microsoft’s last quarterly results reported there were 345 million paid commercial users of Office 365.

Bharat Mistry, technical director in the UK and Ireland and Trend Micro, says this alone means it is unlikely all systems are patched against the problem. “The community that uses Microsoft Office is huge, just about everyone uses it,” he says. “How quickly can people even patch?”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Last week, security company Fortinet reported that attackers have been using the Follina flaw to deploy Rozena malware via a link to gaming chat platform Discord. The malware opens a backdoor into infected systems. Ukrainian media organisations have also been targeted by Russian hackers exploiting the vulnerability since the initial patch was released.

Mistry believes the widespread impact of Follina means many other hacking gangs could be trying to exploit it. “I wouldn’t be surprised if state-sponsored groups have been using it to gather information for espionage,” he says.

Read more: Microsoft Office data in cloud open to ransomware attacks

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.