Follina Zero-Day Vulnerability: Overview and Alert Upon Detection for CVE-2022-30190

On May 27, 2022, a security research team called nao_sec identified a new Microsoft Word document vulnerability, later named the "Follina" vulnerability, which allows attackers to execute malicious code on a target machine using the ms-msdt MSProtocol URI scheme without relying on macros. The vulnerability was initially undetected by Microsoft Defender for Endpoint and affects all versions of Office, with no immediate patch available. Logz.io has created a detection rule for this vulnerability, CVE-2022-30190, and has deployed it to all customer SIEM accounts to monitor exploitation attempts. Logz.io also suggests using Sysmon for process-level logging, despite its high data volume, and encourages customers to optimize this monitoring through its platform. The vulnerability's potential for long-term exploitation highlights the importance of vigilance and the anticipation of a future patch.