You may have noticed lately a lot of talk of MOTW (Mark of the Web). The reason why this is important is because of Microsoft's changes that are rolling out this year to set the default treatment of files containing macros(VBA/XLM4.0) from the Internet to being blocked. 🧵1/x
As I have been saying for awhile, most threat actors realized they needed to get ahead of this and start working on alternatives or ways to bypass this new protection. As can be seen in the Microsoft links, most of these defaults roll out in July to the majority of installs. 3/x
This is where MOTW comes in because the enforcement of how these defaults will be applied relies upon MOTW being successfully established on a file that they are delivering. Therefore you are going to see all types of experiments to avoid their malware from being branded. 4/x
One of the most popular methods is simply zipping the file. Believe it or not a macro laden doc/xlsm in a zip file does NOT properly get the MOTW in most cases. The software being used to uncompress the file needs to realize the ZIP has the MOTW and thus carry it over. 5/x
This aspect was not considered in most archiving software & the majority of them will happily give you the macro to then be able to run as a local file without the MOTW being applied. Which ones do/dont? GREAT QUESTION! I decided to start looking recently to figure this out. 6/x
I was pleased to find out someone has already spent a lot of time on this and shared it with the community at large. Check out this great work from @nmantani to identify which identifies which archiving apps do maintain the MOTW. github.com/nmantani/archi… 7/x
This of course isnt the only consideration for MOTW to be aware of but it is one you should start understanding in your environment post haste. Any archive container type files(ARJ/GZ/IMG/ISO/LN K/RAR/VHDX... ETC) can and have been used to bypass MOTW. 8/x
The time is now to understand how MOTW can be bypassed in your environment & to watch community resources like @nmantani's log of apps that respect MOTW with ZIP files. Clearly actors like #Emotet are working hard on their future post direct macro exploration world. 🙃 9/9
• • •
Missing some Tweet in this thread? You can try to
force a refresh
#Microsoft and #Exchange starting off 2022 with a 💣as of 00:00UTC with freezing transport of all emails flowing through it On-Prem due to failure converting the new date... 🤦♂️. Solution is to disable the AntiMalware Scanning temporarily via Disable-Antimalwarescanning.ps1. 1/x
This is very bad because of the time this is happening and how many people are off for the holidays. Essentially any server that has this issue will defer all mail until this is rectified. H/T to @miketheitguy for the solution:
This is also confirmed from Microsoft here: docs.microsoft.com/en-us/archive/…. It works for 2016 and I am sure 2019 also. Once the script is run and the transport service restarted, all deferred emails will reprocess and be sent immediately provided you have no other problems. 3/x
MS Office ActiveX CVE-2021-40444 summary:
🎯No macros needed - normal detections & mitigations fail.
🎯No word from MS on patch ETA
🎯Can in some cases be executed in Explorer Preview mode. (RTF older O365 client?) - h/t -