Document Exploiting New Microsoft Office Zero-Day Seen in the Wild

Cybersecurity researchers have issued a warning after spotting what appears to be a new Microsoft Office zero-day vulnerability that may have been exploited in the wild.

On May 27, a researcher who uses the online moniker “nao_sec” reported on Twitter that they had found an interesting malicious document on the VirusTotal malware scanning service. The malicious Word file, uploaded from Belarus, is designed to execute arbitrary PowerShell code when opened.

The malware was later analyzed by several others, including researcher Kevin Beaumont, who published a blog post detailing his findings on Sunday.

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” Beaumont explained, adding, “That should not be possible.”

The researcher noted that the code is executed even if macros are disabled — malicious Word documents are typically used for code execution via macros. Microsoft Defender currently does not appear to be capable of preventing execution.

“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” Beaumont said.

The researcher decided to name the zero day vulnerability “Follina” because the malicious file references 0438, which is the area code of Follina, a village in Italy.

Roughly one-third of the vendors on VirusTotal detect the malicious document at the time of writing.

Beaumont and others — including Didier Stevens and NCC Group’s Rich Warren — have confirmed that the Follina zero-day exploit can be used to remotely execute arbitrary code on systems running various versions of Windows and Office. It has been tested against Office Pro Plus, Office 2013, Office 2016, and Office 2021.

Beaumont noted that the exploit does not appear to work against the latest Insider and Current versions of Office, which indicates that Microsoft may be working on patching the flaw, or some modifications need to be made to the exploit.

SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.

A domain used by the attacker for command and control (C&C) purposes, xmlformats[.]com, was hosted by Namecheap. The hosting company quickly “nuked” the domain after being notified.

Both Warren and Beaumont have proposed some potential mitigations until patches or workarounds are made available.

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA