Follina Vulnerability — What to Expect?
Microsoft Office is every attacker’s sweet spot, and now adversaries have found something more interesting to exploit than macros.
Living off the land is not new, yet the recent vulnerability CVE-2022–30190 dubbed Follina is all the rage these days. Found in the wild in April, it evades detection smoothly, without even needing the elevated privileges or macro codes.
For sure, Follina likes the drama. Microsoft disregarded it initially, calling the issue not security-related, but later, independent researchers proved otherwise. Some call it a new attack vector, while others refer to it as trivial.
Hoping that Microsoft Defender for Endpoints will capture traces of Follina is naive, at least because when attackers abuse the privileges of a calling application like Word, it looks completely legit as far as the endpoint is concerned. Old tricks like disabling macros won’t work either.
While there is no officially released patch yet, you can check the quick remediation measures described in the Microsoft guidance. Note that easy “recipes for success” like deleting registry keys or disabling troubleshooters might still not do the trick.
So, are you sure Follina is not messing with your network right now, acting like a normal process?
Hand-picked Follina traces in precise logsources is what you need.
Here are the detections for:
You will find Sigma rules, as well as translations to numerous vendor-specific formats. Also, you can edit each query and alert yourself to fit your specific needs, in addition to reviewing the latest intelligence on Follina.
Our Detection-as-Code platform saves time for detection engineers, researchers, and threat hunters. Every day our security professionals work on quality and timely content. And after registration, you can access it for free.
