A new rule was added to **SEKOIA.IO XDR** to detect Microsoft Office Remote Code Execution "**Follina**" MSDT (Microsoft Diagnostic Tool) attack. Events with command line execution parameters allow to trigger it very specifically. Alerts raised should be promptly analyze in order to detect potential malicious exploitation using malicious office files. In the meantime, a safe course of action is to disable the msdt file association (`reg delete hkcr\ms-msdt`).