Alternatively, use to disallow execution of msdt.exe for non-admin users.

The legitimate executable is found at:

In mid-2022, threat actors linked to (also known as the "Bumblebee" group) distributed malicious Excel sheets that used the ms-msdt: URI to download and execute the Bumblebee loader, which subsequently deployed Cobalt Strike.

| Behavior | Action | |----------|--------| | msdt.exe runs at startup without user action | Investigate via Autoruns | | Launched by Word, Excel, or Outlook | High risk – possible Follina exploit | | Runs frequently without troubleshooter invocation | Run antivirus/EDR scan | | Command line contains encoded PowerShell or download cradle | Immediate isolation |

Nevertheless, legacy systems and enterprise images that upgrade rather than clean-install may still have the old behavior.

To revert, change /d 1 to /d 0 .

The Follina vulnerability was severe because it required zero interaction beyond opening a document (Zero-Click in some configurations). It allowed attackers to install programs, view and delete data, or create new user accounts with full user rights.

Msdt.exe [SAFE]

Alternatively, use to disallow execution of msdt.exe for non-admin users.

The legitimate executable is found at:

In mid-2022, threat actors linked to (also known as the "Bumblebee" group) distributed malicious Excel sheets that used the ms-msdt: URI to download and execute the Bumblebee loader, which subsequently deployed Cobalt Strike. msdt.exe

| Behavior | Action | |----------|--------| | msdt.exe runs at startup without user action | Investigate via Autoruns | | Launched by Word, Excel, or Outlook | High risk – possible Follina exploit | | Runs frequently without troubleshooter invocation | Run antivirus/EDR scan | | Command line contains encoded PowerShell or download cradle | Immediate isolation | Alternatively, use to disallow execution of msdt

Nevertheless, legacy systems and enterprise images that upgrade rather than clean-install may still have the old behavior. To revert, change /d 1 to /d 0

To revert, change /d 1 to /d 0 .

The Follina vulnerability was severe because it required zero interaction beyond opening a document (Zero-Click in some configurations). It allowed attackers to install programs, view and delete data, or create new user accounts with full user rights.

  • 旧グレープシティ株式会社

  • © MESCIUS inc. All rights reserved.

NGG Frontier © 2026