You should never open a suspicious email. You and your staff know that by now. However, hackers know you know, and suspicious email is getting harder and harder to spot. 

Along comes an even more worrisome combination – a Microsoft Office vulnerability called Follina that allows a Word document in email to run malware on your computer.

Monday May 30, 2022, the Microsoft Security Response Center provided guidance for IT administrators on this newly discovered Office vulnerability.

“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application,” said Microsoft in the post. “The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

Given the severity of the issue and how easily the vulnerability can be exploited, Community IT has deployed the remediation that Microsoft has identified to block the Microsoft Support Diagnostic Tool for all our clients. We also highly recommend reminding all staff not to open or click suspicious email links, and to review your process for raising the alert if a staff member does realize they have clicked.

Your MSP or IT provider should also have alerted you of the action they are taking while Microsoft works on a fix. In the meantime, it can’t hurt to re-iterate to staff – if they have any suspicions, don’t open or click. And run back over the procedure when someone realizes they did click, who do they tell? How do they tell them? What are the next steps at your organization and with your IT provider?

Making sure everyone is up to date on your incident response is just good practice. 

How Does the Microsoft Follina Vulnerability Impact Nonprofits?

Follina is affecting everyone who uses Microsoft Office to read email.

Follina gives a new avenue to infiltrate systems using exploited, spoofed, or spam emails. Many nonprofits, just like public agencies and small businesses, are vulnerable to email fraud, as busy staff try to get work done and may click before looking.

Typical phishing emails will look legit. When you get an email that says your account has been compromised, an email was not delivered, a package needs to be authorized, etc. – check the email address carefully for small misspellings, and do not click any links or open any attachments. If the email seems to come from a legitimate contact, reach out to them separately – via website or a new email – to address the problem.

All of these cybersecurity plans are pretty easy to put in place and don’t take a lot of budget. Although your organization should always be following these processes, they are especially important to keep your nonprofit from being exploited by the Microsoft Follina vulnerability and its impact on nonprofits.

Ready to put strong cybersecurity in place and reduce your nonprofit cybersecurity risk? 

Stay up to date on cybersecurity risks and plan IT support for your entire workforce in-office and remote with our resources.

At Community IT Innovators, we’ve found that many nonprofit organizations deal with more cybersecurity risks than they should have to. As a result, cyber damages are all too common. Whether through a third party vendor or a phishing or ransomware attack on your own organization, you need to be prepared for cybersecurity risks and understand your work and personal security options.

Our process is different. Our techs are nonprofit cybersecurity experts. We constantly research and evaluate new technology solutions to ensure that you get cutting-edge solutions that are tailored to keep your organization secure.

We published our completely revised 2021 Cybersecurity Readiness for Nonprofits: Community IT Innovators Playbook to help our community understand the issues.

We also provide a quick and confidential Cybersecurity Self-Assessment Quiz that will help you understand your security profile and identify areas that need work. It takes about 10 minutes to complete and will email you a full report.

We ensure you get the highest value possible by bringing 20 years of expertise in exclusively serving nonprofits to bear in your environment.

If you’re ready to gain peace of mind about your cybersecurity, let’s talk.