MSDT "Follina" vulnerability exploited in attacks against U.S., European governments

An unpatched remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT), which is being tracked as CVE-2022-30192, is being exploited in phishing campaigns that are targeting U.S. and European government organizations.

The campaigns are using the vulnerability, also called Follina, to deploy malicious PowerShell scripts. These scripts are hidden inside compromised RTF documents and sent via email, with lures promising a salary increase.

The final payload performs reconnaissance on the victim's machine, collecting passwords from the browser, computer information, Windows domain details, lists of system users, and data from other applications like email clients, FTP and SSH clients, and Microsoft Office.

The behavioral detection capabilities included in Acronis Cyber Protect Cloud identify and block even brand-new threats based on the malicious behaviors that they exhibit — keeping your data safe, even when a fix for the vulnerability is not yet available.