HomeWinBuzzer NewsMicrosoft Office “Follina” Flaw Is Being Used for Fancy Bear Phishing Campaign

Microsoft Office “Follina” Flaw Is Being Used for Fancy Bear Phishing Campaign

Fancy Bear is using the fear of nuclear war to install malicious stealers by using the Microsoft Follina one-click vulnerability.


A new phishing campaign is using the shadow of nuclear war to trick users by using an exploit of a one-click bug. Fancy Bear, a threat group known for advanced persistent threats (APT) is behind the campaign, seeking to install credential-stealing malware onto Microsoft Edge, Chrome, and Firefox.

Fancy Bear is a known Russia-backed group that has been active during 's invasion of Ukraine. Malwarebytes Threat Intelligence reports the group is sending documents in a phishing campaign that are loaded with an exploit for Follina. This is a known Microsoft one-click vulnerability (tracking as CVE-2022-30190).

“This is the first time we've observed APT28 using Follina in its operations,” researchers say in the post.

Microsoft has had a long-running battle with Fancy Bear. In 2017, the company won a court order to remove domains from the threat group. However, Fancy Bear re-emerged and continues to be a threat to governments, organizations, and individuals.

Malwarebytes has seen the weaponized document Fancy Bear is using. If the user interacts with it, the document installs and executes a .Net stealer to gain credentials and steal data. 's Threat Analysis Group (TAG) is also following the attack and says it has been successfully used on targets in Ukraine.

Follina Attack

The Follina vulnerability was first spotted in April and given zero-day, one-click exploit status in May. It stems from the Microsoft Support Diagnostic Tool (MSDT). It targets ms-msdt protocols to install malicious code from Office documents.

Because Office is the attack method, the bug is dangerous due to the width of the attack surface. Anyone who uses on any supported version of Windows is potentially at risk. Using Follina, Fancy Bear sends targets emails with a subject of “Nuclear Terrorism A Very Real Threat”.

With fears heightened amid the current invasion of Ukraine, victims may click the link, which is a one-click install of a malicious RTF file.

Tip of the day: Did you know that you can assign keyboard shortcuts for starting applications quickly in and ? This is a great way to have your most used programs always at your fingertips. In our we show you how to set those hotkeys for your favorite apps.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News