Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Document Exploiting New Microsoft Office Zero-Day Seen in the Wild

Cybersecurity researchers have issued a warning after spotting what appears to be a new Microsoft Office zero-day vulnerability that may have been exploited in the wild.

Cybersecurity researchers have issued a warning after spotting what appears to be a new Microsoft Office zero-day vulnerability that may have been exploited in the wild.

On May 27, a researcher who uses the online moniker “nao_sec” reported on Twitter that they had found an interesting malicious document on the VirusTotal malware scanning service. The malicious Word file, uploaded from Belarus, is designed to execute arbitrary PowerShell code when opened.

The malware was later analyzed by several others, including researcher Kevin Beaumont, who published a blog post detailing his findings on Sunday.

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” Beaumont explained, adding, “That should not be possible.”

The researcher noted that the code is executed even if macros are disabled — malicious Word documents are typically used for code execution via macros. Microsoft Defender currently does not appear to be capable of preventing execution.

“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” Beaumont said.

The researcher decided to name the zero day vulnerability “Follina” because the malicious file references 0438, which is the area code of Follina, a village in Italy.

Roughly one-third of the vendors on VirusTotal detect the malicious document at the time of writing.

Beaumont and others — including Didier Stevens and NCC Group’s Rich Warren — have confirmed that the Follina zero-day exploit can be used to remotely execute arbitrary code on systems running various versions of Windows and Office. It has been tested against Office Pro Plus, Office 2013, Office 2016, and Office 2021.

Beaumont noted that the exploit does not appear to work against the latest Insider and Current versions of Office, which indicates that Microsoft may be working on patching the flaw, or some modifications need to be made to the exploit.

SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.

A domain used by the attacker for command and control (C&C) purposes, xmlformats[.]com, was hosted by Namecheap. The hosting company quickly “nuked” the domain after being notified.

Both Warren and Beaumont have proposed some potential mitigations until patches or workarounds are made available.

Related: Patch Tuesday: Microsoft Warns of New Zero-Day Being Exploited

Related: Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.