Microsoft FOLLINA Zero Day Warning


A brand new Microsoft vulnerability with an attack called “FOLLINA” was discovered over the Memorial Day weekend. Basically, just opening a booby-trapped Word document can allow attackers onto your computer and into your network. There is currently no patch out yet for the “Follina” attack, but there are ways you can protect yourself.

According to the Sophos antivirus company:

“This Zero Day vulnerability (a Zero Day means there’s current no patch) it’s a code execution security hole that can be exploited by way of Office files, there is a possibility there may be other ways to trigger or abuse this vulnerability.

How does it work? Very loosely speaking, the exploit works like this:

  • You open a booby-trapped DOC file, perhaps received via email.
  • The document references a regular-looking https: URL that gets downloaded.
  • This https: URL references an HTML file that contains some weird-looking JavaScript code.
  • That JavaScript references an URL with the unusual identifier ms-msdt: in place of https:.
  • On Windows, ms-msdt: is a proprietary URL type that launches the MSDT software toolkit.
  • MSDT is shorthand for Microsoft Support Diagnostic Tool.
  • The command line supplied to MSDT via the URL causes it to run untrusted code”

While we wait for MS to release a patch, BW cyber recommends you not open any Word documents from unknown sources, and be especially vigilant for MS Word documents that appear to be from internal sources that you may seem suspicious of as these malicious e-mails may, in fact, be from an external sender pretending to be an internal user via “TYPOSQUAT” impersonation.

For more information on how BW Cyber, LLC can assist you, please contact us at