Follina (CVE-2022-30190) is a critical remote code execution vulnerability in Microsoft Support Diagnostic Tool (MSDT) that was actively exploited in the wild in mid-2022. Unlike traditional macro-based document attacks, Follina requires no macros — instead abusing the ms-msdt URI scheme via an external OLE relationship embedded in a Word document. The lab tasks an analyst with extracting IOCs and building detection logic from a malicious sample.
Initial triage of the sample via SHA1 hash:
bash
sha1sum sample.doc
SHA1: 06727ffda60359236a8029e0b3e8a0fd11c23313
VirusTotal identifies the file as an Office Open XML Document — a modern Word format (.docx) masquerading with a .doc extension. olevba confirms no VBA or XLM macros are present, which is expected — Follina’s entire premise is macro-free exploitation.
Since the file is OpenXML (a zip container), the external relationships can be extracted directly:
bash
unzip -p sample/sample.doc word/_rels/document.xml.rels
```
The output reveals a suspicious external relationship embedded in **document.xml.rels**:
```
rId996 | oleObject | Target="https://www.xmlformats.com/office/word/2022/wordprocessingDrawing/RDF842l.html"
The attacker domain xmlformats.com is deliberately crafted to impersonate the legitimate Microsoft namespace openxmlformats.org — dropping “open” and the “s” from “formats”. Buried in a wall of legitimate-looking XML relationships, this is easy to miss on casual inspection.
Extracted URL: hxxps://www[.]xmlformats[.]com/office/word/2022/wordprocessingDrawing/RDF842l[.]html
When Word opens the document, it fetches the external HTML file via the oleObject relationship. The HTML contains an ms-msdt URI that invokes the Microsoft Support Diagnostic Tool with attacker-controlled parameters, achieving code execution without any macro interaction from the user.
A key detail from the HTML processing logic — files smaller than 4096 bytes will not invoke the payload, a threshold check built into the exploit code.
Upon execution the sample attempts to kill msdt.exe if it is already running, likely to ensure a clean execution environment and avoid conflicts with an existing MSDT instance.
Process-based detection using Windows Event ID 4688 (Process Creation) should monitor for:
| Field | Value |
|---|---|
| ParentProcessName | winword.exe |
| ProcessName | msdt.exe |
A KQL detection rule for Microsoft Sentinel targeting this behaviour is available at the Microsoft Sentinel Queries repository.
Seeing winword.exe spawn msdt.exe is highly anomalous — legitimate MSDT invocations do not originate from Word.
| Type | Value |
|---|---|
| SHA1 | 06727ffda60359236a8029e0b3e8a0fd11c23313 |
| URL | hxxps://www[.]xmlformats[.]com/office/word/2022/wordprocessingDrawing/RDF842l[.]html |
| Domain | xmlformats[.]com |
| CVE | CVE-2022-30190 |
| Technique | ID |
|---|---|
| Command and Scripting Interpreter | T1059 |
Follina demonstrated that macro security controls alone are insufficient — attackers can achieve RCE through document external relationships without any macro execution. The typosquatted domain xmlformats.com versus openxmlformats.org is a reminder that IOC extraction requires careful character-level inspection. Detection engineering for this class of exploit requires process lineage monitoring rather than content-based signatures — winword.exe spawning msdt.exe is the key indicator regardless of the payload delivered.