“Follina”- Zero-day vulnerability in Microsoft Office: Check Point Customers remain protected

*Last updated June 1st 7.42 EST

The vulnerability
On May 30th researchers revealed a zero-day vulnerability in Microsoft Office that if exploited by using a malicious word document, might enable code execution on a victim’s machine.
The vulnerability, now dubbed “follina” sees a word document using a remote template feature to retrieve an HTML File from a remote server, and by using an ms-msdt MSProtocol URI scheme can execute a PowerShell.

Which versions are vulnerable?
Office 2013, 2016, 2019, 2021, and some versions of Office included with a Microsoft 365 license are subject to this vulnerability on both Windows 10 and Windows 11.

What is the risk in Remote Code Execution (RCE)?
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

Check Point customers among the first to be protected from Follina Vulnerability
Check Point customers were protected on the same day Follina was discovered (May 30th). Utilizing Harmony Endpoint and Threat Emulation behavioral protections we prevented Follina attacks in Zero day.
Moreover, Check Point Threat Emulation identified attacks utilizing Follina even before its publication, for example in the Chinese APT operation Twisted Panda.

Check Point Protections against the Follina vulnerability include:
Threat Emulation: Exploit.Wins.Follina.*
Harmony Endpoint: Exploit.Wins.Follina.*
IPS: Microsoft Support Diagnostic Tool Remote Code Execution (CVE-2022-30190)

Sanitized threat free files keep Check Point customers protected
Powered by ThreatCloud, our advanced sandboxing technology, Threat Emulation, is able to analyze an entire infection chain. Right from the beginning,  Threat Emulation will analyze the dropper file actions. By utilizing a secure open connection to the internet, Threat Emulation will let the dropper download the second file, execute it and detect it as malicious – thus preventing the attack before it ever breaches the network. Threat Emulation protects networks against unknown threats in web downloads and e-mail attachments. The Threat Emulation engine picks up malware at the initial phase, before it enters the network. The engine quickly quarantines and runs the files in a virtual sandbox environment, which imitates a standard operating system, in order to discover malicious behavior at the exploit phase, before hackers can apply evasion techniques to bypass a sandbox.  Powered by Check Point ThreatCloud, which is the most powerful threat intelligence database. ThreatCloud is continuously enriched by advanced predictive intelligence engines, data from hundreds of millions of sensors, cutting-edge research from Check Point Research and external intelligence feeds.

These capabilities protect Check Point customers while they are using their Endpoint by Harmony Endpoint, while browsing the internet by Harmony Browse, it’s available through our Network protection  with with Quantum™ Network Security, while using email accounts by using Cloud Email & Collaboration Suite Security, and on Mobile Devices, by Harmony Mobile.

Watch: Check Point Harmony Endpoint vs. Microsoft Office “Follina” Exploit:


Best Practice Recommendations:

Check Point urges users to practice the following on regular basis:

1. Never open document from that you don’t expect , even if it comes from known senders.
2. Unless there is clear need, don’t turn off protected mode from documents that originate from internet or email.
3. Refrain from opening .rtf files that originate from internet, even in preview mode.

Microsoft has released protection guidance and assigned CVE-2022-30190 to this vulnerability.
Check Point researchers closely monitors this evolving story and will continue to report as more information becomes available