--- title: "Everything You Need to Know About the Follina Vulnerability and the Latest Advice by Microsoft | Phish Protection" description: "The recently discovered Follina vulnerability in Microsoft Support Diagnostic Tool has been causing all kinds of harm by employing word documents to do their." image: "https://phishprotection.com/og/blog/follina-vulnerability-latest-advice-microsoft.png" canonical: "https://phishprotection.com/blog/follina-vulnerability-latest-advice-microsoft/" --- Quick Answer The recently discovered Follina vulnerability in Microsoft Support Diagnostic Tool has been causing all kinds of harm by employing word documents to do their dirty work. The vulnerability was found in May but has been reportedly exploited for nearly a month and has been making headlines in the cybersecurity world and creating all kinds of doubts regarding the safety of one of the most widely used software, MS Word. Microsoft has responded against the \[zero-day vulnerability\](/content/zero-day-attacks/recent-zero-day-attacks-2019/) and shared the latest Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Ffollina-vulnerability-latest-advice-microsoft%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Everything%20You%20Need%20to%20Know%20About%20the%20Follina%20Vulnerability%20and%20the%20Latest%20Advice%20by%20Microsoft&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Ffollina-vulnerability-latest-advice-microsoft%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Ffollina-vulnerability-latest-advice-microsoft%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Ffollina-vulnerability-latest-advice-microsoft%2F&title=Everything%20You%20Need%20to%20Know%20About%20the%20Follina%20Vulnerability%20and%20the%20Latest%20Advice%20by%20Microsoft "Share on Reddit") [ ](mailto:?subject=Everything%20You%20Need%20to%20Know%20About%20the%20Follina%20Vulnerability%20and%20the%20Latest%20Advice%20by%20Microsoft&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Ffollina-vulnerability-latest-advice-microsoft%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/06/what-is-phishing-9715.jpg) The recently discovered Follina vulnerability in Microsoft Support Diagnostic Tool has been causing all kinds of harm by employing word documents to do their dirty work. The vulnerability was found in May but has been reportedly exploited for nearly a month and has been making headlines in the cybersecurity world and creating all kinds of doubts regarding the safety of one of the most widely used software, MS Word. Microsoft has responded against the [zero-day vulnerability](/content/zero-day-attacks/recent-zero-day-attacks-2019/) and shared the latest mitigation advice that you can use to block attacks before the official patch. ### What is Follina? Follina vulnerability is a cybersecurity vulnerability discovered at the end of May 2022\. Officially tracked as [CVE-2022-30190](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190), Follina is a zero-day vulnerability, i.e., a vulnerability that was not discovered before. Follina affects the MSDT (Microsoft Windows Support Diagnostic Tool) via remotely executable code that allows cybercriminals to exploit Follina to assume control of a system or device, influencing user rights to install programs and manipulate data or create additional accounts. ### Does Follina Originate in MS Word? > “Microsoft’s built-in phishing protection in Office 365 catches the obvious attacks, but it consistently misses targeted spear phishing and zero-day threats. We see this every day - customers come to us after an incident that Microsoft Defender didn’t catch. Adding a dedicated anti-phishing layer takes five minutes and closes that gap.” - **Adam Lundrigan**, CTO, DuoCircle The quick answer is no; MS Word is safe to use, and Follina does not originate in MS Word. Follina gains entry to systems via the MSDT, a tool that various Microsoft applications use. Kevin Beaumont, a cybersecurity researcher and one of the earliest people to report on Follina, [shared revelations](https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e) about the vulnerability after careful analysis. Follina leverages MS Word’s remote template feature. Using the feature, MS Word can retrieve HTML (Hyper Text Markup Language) files from the remote servers that use Microsoft’s MSDT URL (Uniform Resource Locator) scheme to call PowerShell scripts, i.e., Microsoft automated task tools that interact with the Internet, thus allowing cybercriminals to download malware onto your device or upload system files and data. Testing Follina to locate the vulnerability’s presence on various MS Office versions revealed that the Follina exploit is indeed present on the latest versions of: - MS Office 2013 - MS Office 2016 - MS Office 2019 - MS Office 2021 - Follina has also been observed on MS Office ProPlus and Office 365 ### Follina’s Earliest Attacks Although the Follina vulnerability was discovered at the end of May, _experts found traces of its implementation all over the past month_. An independent security research team found the Follina vulnerability that originated from an IP (Internet Protocol) address in **Belarus**. Samples of malicious MS Word documents were also reported to have been used by cybercriminals, indicating the exploitation of Follina in April as well. The Follina vulnerability was also exploited by “**TA413**”, a Chinese APT group to download backdoors into the victim’s system using MSDT’s URL protocol. Experts argue that the Follina vulnerability has existed for quite some time. 2ero, a senior security researcher, initiated a [thread on Twitter](https://twitter.com/BaoshengbinCumt/status/1531821860744478720), revealing the entire timeline starting October 2022 and its recent exploitation by cybercriminals in various countries, including Nepal, India, Philippines, Russia, and Belarus. ### How to Keep Safe from the Follina Vulnerability? ![What is phishing](https://media.mailhop.org/phishprotection/images/2022/06/what-is-phishing-9715.jpg) The MSRC ([Microsoft Security Response Center](https://www.microsoft.com/en-us/msrc)) released a guide to help take steps so you can keep away from the Follina vulnerability until a permanent patch is released. The **Protected View, in-built in MS applications**, serves as the first layer of protection and blocks any Follina attacks. Additionally, you can employ several methods to keep yourself safe against the Follina exploitation or the CVE-2022-30190. #### Disabling MSDT A quick workaround for the Follina vulnerability is disabling the MSDT altogether. If you disable MSDT, MS troubleshooters and tools will be unable to launch links, keeping your system safe and protected against Follina exploitation attacks. You can easily disable the MSDT by: - Running Cmd (Command Prompt) as Administrator. - Backing up the registry and executing the following commands one by one. - “reg export HKEY\_CLASSES\_ROOT\\ms-msdt filename” - “reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f” Suppose you wish to reverse this and enable the MSDT, you can execute the following. - “reg import filename” #### Microsoft Defender and Tools You can use different Microsoft Defender Services to protect against Follina exploitation. These include: ##### 1\. MDAV (Microsoft Defender Antivirus) The latest MDAV detects and **protects the following signatures**. - Trojan:Win32/Mesdetty.A - Trojan:Win32/Mesdetty.B - Trojan:Win32/MesdettyScript.A - Trojan:Win32/MesdettyScript.B - Behavior:Win32/MesdettyLaunch.A!blk It does so using the build 1.367.851.0 or higher for Follina detection. Furthermore, you can turn the on-cloud protection as it integrates **AI and ML** (Artificial Intelligence and Machine Learning) capabilities for automated and evolving security. ##### 2\. MDE (Microsoft Defender for Endpoint) Microsoft Defender solution delivers **excellent detections** and alerts for Endpoint. The following alerts could indicate the presence of Follina vulnerability. - Suspicious behavior by Msdt.exe - Suspicious behavior by an Office application You can also enhance your protection by enabling the attack surface reduction rule. This “Block all Office applications from creating child processes” will not allow any MS Office applications to open sub or child processes. ##### 3\. MDO (Microsoft Defender Office) The MDO, Microsoft’s defense tool for Office 365, can also detect and protect you from Follina vulnerabilities in email attachments and URLs. These include: - Trojan\_DOCX\_OLEAnomaly\_AC - Trojan\_DOCX\_OLEAnomaly\_AD - Trojan\_DOCX\_OLEAnomaly\_AE - Trojan\_DOCX\_OLEAnomaly\_AF - Exploit\_UIA\_CVE\_2022\_30190 - Exploit\_CVE\_2022\_30190\_ShellExec - Exploit\_HTML\_CVE\_2022\_30190\_A - Exploit\_Win32\_CVE\_2022\_30190\_B You can look at the complete MSRC’s security post for the Follina vulnerability [here](https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/). ### No Follina Patch As of Yet You should note that the **above steps currently provide the best defense** against the Follina vulnerability but do not fix the vulnerability itself. Zero-day attacks are so termed as they provide little response time to organizations, in this case, Microsoft, as the cybercriminals and threat actors start exploiting the vulnerability before the organization even has a chance to look into it. The Follina vulnerability is no different, allowing threat actors access to your systems, allowing them to elevate their privileges, access all system files, or download malware. Exploiting Follina, cybercriminals can easily lock you out of your systems, which is why taking all the necessary steps is of paramount importance and should be your highest priority. Until Microsoft releases a proper and permanent security patch, you should disable the MSDT and use **Microsoft Defender**. ### Final Words The Follina vulnerability has shown how zero-day attacks pose unknown threats, even to tech giants known worldwide. There is an increasing and ever-growing demand for cybersecurity professionals and the latest tools to keep up with the rising threat of cybercrimes. That being said, Microsoft has withstood various attacks in the past and will release permanent patches for Follina soon. In the meantime, you can keep yourself safe by following the above recommendations and downloading Microsoft Defender Tools on your devices. ## Topics [ Cybersecurity ](/tags/cybersecurity/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Intermediate 3m 13,000 Singapore-based students affected as a threat actor hacked into their devices! Aug 16, 2024 ](/blog/13000-singapore-based-students-affected-as-a-threat-actor-hacked-into-their-devices/)[ Intermediate 3m The 2024 Multi-Nation Elections Need to Steer Clear of Highly Potent Cyber Menaces May 9, 2024 ](/blog/2024-multi-nation-elections-cyber-threats-stay-vigilant/)[ Intermediate 6m 7 Commonly Overlooked But Crucial Security Threats That You Might be Ignoring Feb 6, 2023 ](/blog/7-commonly-overlooked-but-crucial-security-threats-that-you-might-be-ignoring/)[ Intermediate 17m 9+ Cybersecurity Software Solutions For Businesses To Use May 30, 2022 ](/blog/9-cybersecurity-software-solutions-businesses/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Everything You Need to Know About the Follina Vulnerability and the Latest Advice by Microsoft","description":"The recently discovered Follina vulnerability in Microsoft Support Diagnostic Tool has been causing all kinds of harm by employing word documents to do their.","url":"https://phishprotection.com/blog/follina-vulnerability-latest-advice-microsoft/","datePublished":"2022-06-16T07:27:09.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-06-16T07:27:09.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/follina-vulnerability-latest-advice-microsoft/"},"articleSection":"intermediate","keywords":"Cybersecurity","wordCount":1098,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/06/what-is-phishing-9715.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is Follina?","acceptedAnswer":{"@type":"Answer","text":"Follina vulnerability is a cybersecurity vulnerability discovered at the end of May 2022. Officially tracked as [CVE-2022-30190](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190), Follina is a zero-day vulnerability, i.e., a vulnerability that was not discovered before. ..."}},{"@type":"Question","name":"Does Follina Originate in MS Word?","acceptedAnswer":{"@type":"Answer","text":"> \"Microsoft's built-in phishing protection in Office 365 catches the obvious attacks, but it consistently misses targeted spear phishing and zero-day threats. We see this every day - customers come to us after an incident that Microsoft Defender didn't catch. Adding a dedicated anti-phishing lay..."}},{"@type":"Question","name":"How to Keep Safe from the Follina Vulnerability?","acceptedAnswer":{"@type":"Answer","text":"\"What"}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Everything You Need to Know About the Follina Vulnerability and the Latest Advice by Microsoft","item":"https://phishprotection.com/blog/follina-vulnerability-latest-advice-microsoft/"}]} ```