A recently announced exploit in Microsoft Support Diagnostic Tool (MSDT) allows threat actors to execute code on all versions of Windows using multiple versions of Office. The primary exploit path is through Microsoft Office products, but the exploit can also be triggered without opening the weaponized file. This exploit could allow threat actors to read, edit, or delete data the application has access to. If the privilege levels are high enough for the application, the code execution could create new user accounts.
Threat actors can create a URL link to send through email, either as a URL in the email or an attached Word document. The URL triggers the Microsoft Support Diagnostic Tool (MSDT) and has the support tool download the threat actor’s code from a remote website. While Microsoft’s FAQ in the guidance document said Protected View would prevent exploitation, third-party researchers found that Protected View was easily bypassed.
Lastly, macros do not need to be enabled for this exploit to work.
Coretek is working with customers to inform them of the current exploit and recommendations.
Coretek advises customers to follow Microsoft’s recommendations of disabling MSDT URL Protocol. The directions are listed in the Microsoft “Guidance for CVE-2022-30190” linked to below.
It is also recommended to disable the Preview Pane in Outlook and Windows Explorer since it allows for zero-click exploits.
Microsoft Defender version 1.367.719.0 or newer can detect the attack and take action to terminate the exploit’s call out. The three malware families associated with this exploit detected by Defender are:
Defender will also alert using the following alert names:
If any of the above show up in your SIEM or Defender logs, they should be investigated as possible exploit attempts.
If you are a Coretek customer, have any questions about Coretek remediation actions or your support agreements with Coretek, or are a visitor who would like more information, please use the button below to get in touch.