CVE-2022-30190 Explained: Follina, the Zero-Click Microsoft Office RCE
A Microsoft Support Diagnostic Tool vulnerability triggered by opening or previewing a Word document. No macros. No user clicks. Full remote code execution from a weaponized .docx file, and no security bar warning.

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2022-30190, nicknamed Follina, was discovered by nao_sec researchers on May 27, 2022 and had already been exploited in the wild before discovery, samples date to April 2022.
The vulnerability abuses the ms-msdt:// URI scheme, a Windows protocol handler that launches the Microsoft Support Diagnostic Tool. A specially crafted Office document containing an external OLE template reference forces Word to fetch a malicious HTML file from an attacker-controlled server, which executes an ms-msdt:// URL that runs arbitrary PowerShell code.
What makes Follina uniquely dangerous: it requires no macros. Office documents with macro content display a yellow security bar requiring user acknowledgment. Follina uses OLE template references, a legitimate Office feature, which raises no such warning. On some Windows configurations, simply previewing the file in Windows Explorer's Preview Pane without opening it triggers the exploit.
How the Follina Exploit Chain Works
A malicious .docx file contains an OLE template relationship entry pointing to an external attacker-controlled URL instead of a local template file. When Word opens the document (or Windows Explorer generates a preview), Word fetches the external URL.
The attacker's server returns an HTML file containing a redirect to an ms-msdt:// URI. This URI invokes MSDT.exe with attacker-specified parameters, including an IT_BrowseForFile parameter embedding a PowerShell command. MSDT.exe executes this PowerShell command as the current user with no UAC prompt and no macro warning displayed.
Craft Malicious DOCX
Attacker creates a .docx file with an OLE template XML relationship pointing to an attacker-controlled HTTP URL instead of a local template.
Victim Opens or Previews Document
Victim opens the document in Word, or previews it in Windows Explorer. No macro warning is displayed, the file appears clean.
Word Fetches External Template
Word's template loading code fetches the external URL. The attacker's server returns an HTML file with the payload.
HTML Invokes ms-msdt:// URI
The HTML redirects to an ms-msdt:// URI with embedded PowerShell code in the IT_BrowseForFile parameter.
MSDT Executes PowerShell as Current User
Windows invokes MSDT.exe, which processes the URI and executes the embedded PowerShell command, achieving code execution with no further user interaction.
Patch and Mitigation for CVE-2022-30190
Microsoft patched Follina on June 14, 2022 as part of Patch Tuesday. Before the patch, Microsoft published a registry-based workaround to disable the ms-msdt:// protocol handler entirely.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The bottom line
Follina proved that macro security controls, the industry's primary defense against malicious Office documents for two decades, do not cover all Office code execution paths. A legitimate template feature became a zero-click RCE vector. Apply the June 2022 patches, disable the ms-msdt protocol handler as defense-in-depth, and ensure Protected View is enforced and not bypassed by Group Policy exceptions.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is Follina (CVE-2022-30190)?
Follina is an RCE vulnerability in the Microsoft Support Diagnostic Tool (MSDT) triggered via the ms-msdt:// URI scheme embedded in a malicious Office document. No macros are used and no Enable Content prompt appears. In some configurations, previewing the file in Windows Explorer triggers the exploit before the document is fully opened.
How do I fix Follina?
Apply Microsoft's June 2022 patch. As an immediate workaround, disable the MSDT URL protocol: run 'reg delete HKEY_CLASSES_ROOT\ms-msdt /f' from an elevated command prompt. This prevents MSDT from being invoked remotely.
Does disabling macros prevent Follina?
No. Follina does not use macros. It exploits the ms-msdt:// URL handler embedded in the document's XML relationship file. Macro security settings, Protected View, and Attack Surface Reduction rules do not block the primary exploit path.
Why does Protected View not prevent CVE-2022-30190?
Microsoft Office Protected View blocks macros and active content from documents opened from the internet or email attachments. Follina exploits OLE template references, a legitimate Word feature, not macros. The OLE template fetch occurs via Word's template loading mechanism in a different code path from Protected View's active content restrictions. On some Windows configurations, even previewing a Follina-weaponized document in Windows Explorer's Preview Pane triggers the exploit before the file is opened, completely bypassing Protected View. The most effective mitigation is enabling the ASR rule that blocks Office from fetching external OLE templates (GUID 3b576869-a4ec-4529-8536-b80a7769e899).
Can email filtering stop Follina?
Email filtering can remove malicious .docx attachments if the file hash matches known Follina samples. However, the malicious document itself may appear benign since it contains only a legitimate OLE template reference pointing to an external URL with no embedded malware. The payload is fetched from an attacker-controlled URL when the document opens. Sandbox-detonating email security solutions that detonate attachments and observe network connections can detect the malicious outbound fetch. Blocking Office processes from making outbound HTTP connections via ASR rules or endpoint firewall policies is more reliable than signature-based filtering.
Was CVE-2022-30190 exploited by nation-state actors?
Yes. Before the June 14, 2022 patch, multiple threat actor groups exploited Follina. TA413, a Chinese APT targeting Tibetan organizations, was among the first confirmed users. Transparent Tribe (APT36, Pakistani nexus) used Follina in campaigns against Indian government and defense personnel. Multiple European governments also reported targeted exploitation. The variety of threat actors reflects Follina's ease of weaponization: no macros required, no security prompt to dismiss, and the ability to trigger on document preview.
Sources & references
- Microsoft MSRC
- nao_sec Research
- CISA KEV
- NIST NVD
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
