Cyber Incident Victim: Italian Ministries of Defense and Foreign Affairs
Date:
Apr 2022
Location:
Italy
Summary
A cyberattack exploiting a Microsoft Office zero-day vulnerability known as 'Follina' targeted Italian government entities. Attackers utilized malicious Word documents to execute PowerShell commands via the Microsoft Diagnostic Tool, bypassing Windows Defender without requiring macros or elevated privileges. The exploit leveraged remote HTML templates and the ms-msdt URI scheme, affecting multiple Office versions. Despite initial dismissal, a patch was later issued, though detection remained challenging due to remote payload delivery mechanisms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2022, security researchers identified a zero-day vulnerability in Microsoft Office, later named 'Follina,' which attackers exploited to execute arbitrary PowerShell commands through malicious Word documents. The exploit leveraged the Microsoft Diagnostic Tool (MSDT) via a crafted 'ms-msdt' URI scheme embedded within Office documents, bypassing traditional security measures like Windows Defender without requiring elevated privileges or macro activation. Researchers nao_sec and Kevin Beaumont analyzed the attack methodology, revealing that threat actors used Microsoft’s remote template feature to load HTML files containing the malicious payload. This delivery mechanism allowed attackers to evade detection by hosting the final payload externally, complicating forensic analysis. The vulnerability impacted Office 2013, 2016, and even patched versions of Office 2021, indicating a broad attack surface. Microsoft initially dismissed reports of the flaw when researchers disclosed it in April 2022, delaying mitigation efforts until a formal patch was released in late May.
The exploitation of Follina enabled attackers to run arbitrary code on compromised systems, posing significant risks to unpatched environments. Security firms Huntress and Didier Stevens proposed interim mitigations, including blocking Office applications from spawning child processes and removing the ms-msdt file association registry key to disrupt the attack chain. The remote payload delivery method hindered detection, as malicious documents could fetch payloads post-infection, leaving minimal traces in initial forensic scans. Microsoft’s eventual patch addressed the MSDT protocol handler abuse, though organizations relying solely on signature-based defenses remained vulnerable during the weeks between initial exploitation and the patch’s release. The incident underscored challenges in coordinating vulnerability disclosures and the critical need for proactive monitoring of unconventional attack vectors in enterprise software.