Microsoft Office Has A Vulnerability That Chinese Hackers Are Exploiting

Hackers purportedly linked to the Chinese government are exploiting a recently discovered vulnerability in Microsoft Corporation’s (NASDAQ: MSFT) Office.

What Happened: A tweet by cybersecurity platform Proofpoint named a hacker group labeled “TA413” using the vulnerability to deliver Zip Archives containing Word documents that use the technique. 

“​​Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration and use the domain tibet-gov.web[.]app,” said Proofpoint.

TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration and use the domain tibet-gov.web[.]app pic.twitter.com/4FA9Vzoqu4

— Threat Insight (@threatinsight) May 31, 2022

See Also: How To Buy Microsoft (MSFT) Shares

Why It Matters: The Dharamsala, India-based Central Tibetan Administration and other Tibetan dissidents were previously targeted by TA413, according to a Proofpoint blog post dating back to September 2020.

The latest vulnerability in Word came to light on May 27 after security group Nao Sec posted a sample of the malicious code submitted from Belarus. 

TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration and use the domain tibet-gov.web[.]app pic.twitter.com/4FA9Vzoqu4

— Threat Insight (@threatinsight) May 31, 2022

The vulnerability was dubbed Follina, after a town in Italy by cybersecurity researcher Kevin Beaumont.

If you use Defender for Endpoint on E5, here's a quick advanced hunting query I made for this -- can be set as a Custom detection rule.

I'm calling this vuln Follina, a place a Italy (and also the area code of the CVE suspected to be allocated to this).https://t.co/t5CaajScrI

— Kevin Beaumont (@GossiTheDog) May 29, 2022

Beaumont penned a blog post over the weekend and said the vulnerability lets a malicious Word file retrieve HTML files from a remote webserver and then execute PowerShell commands by hijacking the Microsoft Support Diagnostic Tool — a program meant to collect information on problems affecting Microsoft’s apps. 

Importantly, the vulnerability can be exploited despite macros being disabled in Word, according to Beaumont.

Beaumont said he could not get the vulnerability to work on the Insider and Current versions of Office, which suggests Microsoft tried to fix this vulnerability without documenting it. This supposedly took place around May 2022.

“The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365” and appears exploitable using .RTF files on all versions of Office 365, wrote Beaumont.

Price Action: On Wednesday, Microsoft shares closed 0.2% higher at $272.42 in the regular session and fell 0.3% in the after-hours trading, according to data from Benzinga Pro.

Read Next: Sick Of Losing Your Apple TV Remote? This $40 Accessory Can Help You