After discovering what looks to be a new Microsoft Office zero-day flaw that has been abused in the wild, security experts have issued a warning. On May 27, a researcher known online as “nao_sec” tweeted that they had discovered an intriguing malicious document on the VirusTotal malware scanning site.
When opened, the malicious Word file uploaded from Belarus is meant to run arbitrary PowerShell code. Several others studied the malware subsequently, including researcher Kevin Beaumont, who published a blog post on Sunday explaining his results.
“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” Beaumont explained, adding, “That should not be possible.”
The researcher believes the malware is run even if macros are deactivated. Malicious Word documents are commonly used to execute code through macros. Microsoft Defender does not appear to be able to block execution at this time.
“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” said Beaumont.
The researcher named the zero-day flaw “Follina” because the malicious file mentions 0438, which is the area code of Follina, an Italian village. On VirusTotal, around a third of the vendors identify the malicious document. According to Beaumont and others, including Didier Stevens and Rich Warren of NCC Group, the Follina zero-day attack may be exploited to remotely execute arbitrary code on devices running various versions of Windows and Office. Office Pro Plus, Office 2013, Office 2016, and Office 2021 have all been evaluated.
Beaumont pointed out that the vulnerability does not appear to function with the current Insider and Current versions of Office, implying that Microsoft is working on a fix or that the exploit must be tweaked. Microsoft has been approached about the issue, and a response is awaited.
Namecheap hosted xmlformats[.]com, a domain used by the attacker for command and control (C&C) reasons. After being informed, the hosting firm swiftly “nuked” the domain. Until fixes or workarounds are available, Warren and Beaumont have presented several potential mitigations.