View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 9, 2022updated 10 Jun 2022 3:36pm

When will Microsoft patch the Follina Office 365 vulnerability?

The vulnerability is being exploited by hackers, but Microsoft is apparently not in a hurry to release a patch.

By Claudia Glover

A zero day vulnerability in Microsoft’s Office 365 software is not likely to be patched for at least another week, experts believe. The vulnerability, named Follina, is already being exploited by a host of hacking gangs, including state-sponsored groups and ransomware criminals.

Phone using Microsoft Office 365, which currently features the Follina vulnerability
A vulnerability in Office 365 – Follina – is being exploited by hackers. (Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

Follina utilises a flaw in the Microsoft Diagnostic Tool (MSDT) to allow hackers to gain access to systems running Office 365 and launch remote code execution (RCE) attacks on those systems.

How is the Follina zero day being exploited?

The vulnerability was spotted last month, and hackers which successfully exploit it are free to access compromised systems “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights,” says a Microsoft blog on Follina.

The nature of the vulnerability means that malware can be uploaded easily, says Satya Gupta, founder and CTO of security company Virsec. “This vulnerability in MSDT affects not just Word but all Office 365 apps,” he says. “This event once again heavily underscores the power of RCE vulnerabilities as being the most dangerous vulnerabilities. Most enterprises don’t patch for days, weeks and sometimes even for months. This is great news for bad actors because RCEs give attackers a free pass to infiltrate the enterprise’s compute infrastructure.”

Earlier this week, researchers at ProofPoint said they had found evidence that Follina is now being exploited by prolific ransomware affiliate botnet Qbot.  

QBot is currently being used by the Black Basta ransomware group to launch bot-powered attacks, according to security company NCC group. “Qbot was the primary method used by the threat actor to maintain their presence on the [victim’s] network,” its research team said.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

ProofPoint said its team also believes Follina is being exploited by state-backed hackers, but has yet to ascertain which country they come from. Allan Liska, intelligence analyst at Recorded Future, says it is likely they are from China. “As with many zero day exploits, this started off being used by what are likely Chinese nation-state actors,” he says. “But as proof of concept code has been released, other cybercriminals have picked up on it and we are now seeing malware like Qbot using it to deliver ransomware and other malicious code.”

Will the Follina Office 365 vulnerability be patched by Microsoft?

Though Microsoft has released some work-arounds for the vulnerability, it has yet to deploy an official patch to combat it. It could do so during patch Tuesday – the monthly event which sees it release a tranche of updates for its systems – which takes place next week, but an Microsoft spokesman declined to say whether a patch will be forthcoming when questioned by Ars Technica on Monday.

If it doesn’t, Liska says the implications could be disastrous. “The number of samples discovered in the wild is relatively small, especially given the ease of exploitation and the readiness of exploit code,” he says. “But that won’t last. More and more cybercriminals will add this to their arsenal and exploitation reports will continue to rise. Hopefully, Microsoft does include a patch next Tuesday and we can see infections start to die off.” 

Read more: Windows Autopatch could spell the end for Patch Tuesday

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.