CVE-2022-30190 Explained: Follina, the Zero-Click Microsoft Office RCE
A Microsoft Support Diagnostic Tool vulnerability triggered by opening or previewing a Word document. No macros. No user clicks. Full remote code execution from a weaponized .docx file — and no security bar warning.
Founder & Cybersecurity Evangelist
CVE-2022-30190, nicknamed Follina, was discovered by nao_sec researchers on May 27, 2022 and had already been exploited in the wild before discovery — samples date to April 2022.
The vulnerability abuses the ms-msdt:// URI scheme, a Windows protocol handler that launches the Microsoft Support Diagnostic Tool. A specially crafted Office document containing an external OLE template reference forces Word to fetch a malicious HTML file from an attacker-controlled server, which executes an ms-msdt:// URL that runs arbitrary PowerShell code.
What makes Follina uniquely dangerous: it requires no macros. Office documents with macro content display a yellow security bar requiring user acknowledgment. Follina uses OLE template references — a legitimate Office feature — which raises no such warning. On some Windows configurations, simply previewing the file in Windows Explorer's Preview Pane without opening it triggers the exploit.
How the Follina Exploit Chain Works
A malicious .docx file contains an OLE template relationship entry pointing to an external attacker-controlled URL instead of a local template file. When Word opens the document (or Windows Explorer generates a preview), Word fetches the external URL.
The attacker's server returns an HTML file containing a redirect to an ms-msdt:// URI. This URI invokes MSDT.exe with attacker-specified parameters, including an IT_BrowseForFile parameter embedding a PowerShell command. MSDT.exe executes this PowerShell command as the current user with no UAC prompt and no macro warning displayed.
Craft Malicious DOCX
Attacker creates a .docx file with an OLE template XML relationship pointing to an attacker-controlled HTTP URL instead of a local template.
Victim Opens or Previews Document
Victim opens the document in Word, or previews it in Windows Explorer. No macro warning is displayed — the file appears clean.
Word Fetches External Template
Word's template loading code fetches the external URL. The attacker's server returns an HTML file with the payload.
HTML Invokes ms-msdt:// URI
The HTML redirects to an ms-msdt:// URI with embedded PowerShell code in the IT_BrowseForFile parameter.
MSDT Executes PowerShell as Current User
Windows invokes MSDT.exe, which processes the URI and executes the embedded PowerShell command — achieving code execution with no further user interaction.
Patch and Mitigation for CVE-2022-30190
Microsoft patched Follina on June 14, 2022 as part of Patch Tuesday. Before the patch, Microsoft published a registry-based workaround to disable the ms-msdt:// protocol handler entirely.
Apply June 2022 Patch Tuesday updates
Install all June 14, 2022 cumulative updates for Windows. The patch modifies MSDT.exe to reject maliciously crafted IT_BrowseForFile URI parameters.
Disable ms-msdt protocol handler (pre-patch workaround)
Back up then delete the registry key HKEY_CLASSES_ROOT\ms-msdt to block ms-msdt:// invocations from any application: reg export HKEY_CLASSES_ROOT\ms-msdt backup.reg && reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Disable Preview Pane in Windows Explorer
Eliminates the no-click attack surface. Apply via Group Policy: User Configuration > Administrative Templates > Windows Components > Windows Explorer > Turn off Windows+Tab hotkey.
Block external OLE template retrieval via ASR
Enable Microsoft Defender Attack Surface Reduction rule GUID 3b576869-a4ec-4529-8536-b80a7769e899 to block Office from fetching external OLE templates.
The bottom line
Follina proved that macro security controls — the industry's primary defense against malicious Office documents for two decades — do not cover all Office code execution paths. A legitimate template feature became a zero-click RCE vector. Apply the June 2022 patches, disable the ms-msdt protocol handler as defense-in-depth, and ensure Protected View is enforced and not bypassed by Group Policy exceptions.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.