Microsoft Office RCE Follina (Resolved) Issue / Performance
28 days

ExchangeDefender has published the Follina Mitigation Advanced Feature and it is currently available to our managed and enterprise clients. 

The policy is available under the Domain Admin login at https://admin.exchangedefender.com under Advanced Features. 

When this policy is enabled, ExchangeDefender will consider every Microsoft Office attachment as potentially infected and will qurantine it on our network. From there, Domain Admin can follow the directions in the email to retrieve the message from our admin portal. If you have Advanced Features : Infected Attachments enabled, end users can also download these attachments on their own without help from IT/admin. 

https://exchangedefender.com/images-documentation/advanced_features_follina_mitigation.png

Important: ExchangeDefender is already protecting all clients from the follina exploit in the wild through our antivirus. Please follow Microsoft's instructions.

Side note: This is not a good way to protect yourself and we're only publishing this due to an overwhelming demand by our larger clients. Microsoft's security record with Exchange and Office lately has made many IT people lose confidence in their ability to protect a Microsoft network. We will deliver a more elegant way of accessing prohibited attachments through the ExchangeDefender Sandbox soon, but we hope that this quick containmnent option is viable for clients that want to layer attachment policy blocking at the perimeter for the time being. 

Update 05/31/2022 16:14 PM 28 days

Updating the advisory to link to remote code execution proof of concept:

https://github.com/JohnHammond/msdt-follina

This RCE affects all versions of Microsoft Office, please follow Microsoft's official CVE.

ExchangeDefender is already finding and blocking these exploits through our antivirus security but we still recommend following Microsoft's advice to remove  msdt associations. 

Update 05/31/2022 15:26 PM 28 days

Microsoft Office has an RCE exploit named "Follina" in the wild that can easily compromise a Windows PC even through a preview in Windows Explorer (.lnk and .rtf files). It affects all versions of Microsoft office from 

To protect your clients please urgently turn off ms-msdt associations https://gist.github.com/wdormann/031962b9d388c90a518d2551be58ead7

If that is not an option, you can use ExchangeDefender to block the following attachments through the Domain Admin:


.xps

.pub

.ecf

.one

.mde

.mda

.doc

.dot

.wbk

.docx

.docm

.dotx

.docb

.wll

.wwl

.xlt

.xls

.xlsx

.xlm

.xltx 

.xltm

.xlsb

.xla

.xlam

.xxl

.xlw

.ppt

.pot

.pps

.ppa

.ppam

.pptx

.pptm

.potx

.potm

.ppam

.ppsx

.ppsm

.sldx

.sldm

.pa

We are actively working on making Office attachment blocking a one-click setting and expect it to be published by the end of day 5/31/2022.