The loaded HTML uses the “ms-msdt” MSProtocol URI scheme to load and execute a snippet of PowerShell code.

“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” as reported by Nao Sec.

The MSDT stands for the Microsoft Support Diagnostic Tool and collects information and reports to Microsoft Support. This troubleshooting wizard will analyze the gathered info and attempt to find a resolution to hiccups experienced by the user.

Beaumont found that the flaw allows the code to run via MSDT, “even if macros are disabled”.

“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” further explained by Beaumont.

Beaumont confirmed that the exploit is currently affecting the older versions of Microsoft Office 2013 and 2016 and the endpoint detection “missed execution” of malware. Additional research revealed the vulnerability impacts even the most recent version of Microsoft Office.

Another security researcher Didier Stevens said he exploited the Follina bug on a fully patched version of Office 2021, and John Hammond a cybersecurity researcher tweeted the working proof of Follina.

Microsoft users with E5 licenses can detect the exploit by appending the endpoint query to Defender. Additionally, Warren suggests using the Attack Surface Reduction (ASR) rules to block the office applications from creating child processes.