Everyone hardened against macros. Follina didn't use one.
CVE-2022-30190 (Follina) ran code from a Word document with no macro at all, by abusing a Windows URL protocol handler to invoke the Support Diagnostic Tool. It defeated macro-based defenses, and Microsoft had reportedly closed an earlier report as 'not a security issue.'
The security industry spent years drilling one message about malicious Office documents: disable macros, don’t click “enable content,” and you’ve closed the main door. Follina walked in through a different one. CVE-2022-30190 let a Word document execute code with no macro at all, by abusing the ms-msdt: URL protocol handler to invoke the Microsoft Support Diagnostic Tool and run an attacker’s command. Macro settings were irrelevant. In some configurations even Protected View wasn’t enough. And the uncomfortable coda: the technique had reportedly been flagged to Microsoft and closed as “not a security issue” before it was weaponized and named Follina.
What the bug is
CVE-2022-30190 is a remote code execution flaw, CVSS 7.8, that abuses the ms-msdt:// URL protocol. An Office document (often via a remotely-loaded template) references the ms-msdt: handler with a crafted payload, and the Support Diagnostic Tool executes attacker-controlled code in the context of the user. The key property is that it routes around the macro security model entirely: there’s no macro to block, no “enable content” prompt to refuse. CISA published workaround guidance on May 31, 2022, after the bug went public on May 27; the interim mitigation was to delete the ms-msdt URL protocol registry key, and Microsoft shipped patches on June 14. Multiple actors, from cybercrime to nation-state, adopted it quickly, and it carries the ransomware flag in the catalog.
Two lessons, both uncomfortable
Macros are not the whole attack surface. Years of macro hardening, sandboxing, and “enable content” warnings trained defenders and users to equate “document attack” with “macro.” Follina exploited a completely different mechanism, a Windows URL protocol handler reachable from a document, and sailed past every macro control. The general lesson is that Office and Windows expose many ways for a document to reach out and trigger something, protocol handlers (ms-msdt:, search-ms:, and others), remote templates, embedded objects, and external references, and hardening one path doesn’t close the rest. Defense has to assume documents are a rich, multi-path attack surface, not just a macro problem.
“Not a security issue” is a judgment that ages badly. The most-cited detail about Follina is that the underlying technique was reported and initially dismissed. Triaging vulnerability reports is genuinely hard, and not every report is a real bug. But a protocol-handler-to-code-execution path from a document is exactly the kind of thing that deserves a second look, and the gap between “we closed this as not-a-security-issue” and “this is now an in-the-wild RCE with a catchy name” is a reminder, for any organization that triages security reports, that dismissing a creative report carries real risk. When something lets untrusted content reach a code-execution primitive, the bar for “not a problem” should be very high.
What to do
- Patch. The June 2022 update fixes Follina. Any current Windows/Office is covered; the residual risk is unpatched and legacy systems.
- Reduce document-borne attack surface beyond macros. Disabling unneeded URL protocol handlers, restricting which protocols Office can invoke, and using attack-surface-reduction (ASR) rules that block Office from spawning child processes all defend against this class, not just this CVE. The ASR rule that blocks Office child processes would have broken the Follina chain, as it does for many document attacks.
- Don’t rely on “macros are off” as complete document defense. Pair it with execution controls and behavioral detection that catch document-to-process activity regardless of the trigger.
- Hunt for the pattern. Office applications spawning
msdt.exe, ormsdt.exelaunching shells, is the Follina signature; alert on it. More broadly, Office spawning any command interpreter is worth flagging. - Treat protocol-handler invocations as attack surface in your own software too. If you ship a custom URL protocol handler, assume hostile input can reach it from a web page or document, and validate accordingly.
The reframe is to widen the mental model of “malicious document” past the macro. Follina is the clean proof that a document can reach a dangerous Windows feature through a path the macro defenses never touched, and that a report dismissed as harmless can resurface as a named zero-day. Patch it, layer execution controls that don’t depend on the trigger, and give creative “can a document reach this?” reports the benefit of the doubt. We flag the document and protocol-handler entries because they keep finding the door that the last round of hardening left open.
Sources
- CISA: Microsoft releases workaround guidance for MSDT “Follina” vulnerability — 2022-05-31
- CISA Known Exploited Vulnerabilities Catalog
- NVD CVE-2022-30190 — 2022-05-30
- FortiGuard Labs: Analysis of the Follina zero-day (CVE-2022-30190) — 2022-06
- Hack The Box: CVE-2022-30190 (Follina) explained — 2022
Share
Related field notes
-
Known exploited, no patch: what to do in the weeks before a fix exists
When Microsoft disclosed CVE-2023-36884, it was already being used by a Russian group against governments, and there was no patch for weeks. Only mitigations. That scenario is more common than a patch-centric process assumes, and mitigations are the plan, not a consolation prize.
-
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
-
The year on-premise Exchange became the most-attacked software on earth
ProxyLogon and ProxyShell turned 2021 into open season on Exchange Server. Two unauthenticated RCE chains, tens of thousands of web-shelled servers, an FBI operation to clean them up. If you still run Exchange on-prem, you're operating a permanent top-tier target.
One email, every weekday morning.
You're in. Check your inbox.