SpyCloud - Security Research Manager, Cryptolaemus Coordinator, Emotet(Ivan)/QBot(Boris) hater, gold prospector & former sysadmin.
May 5, 2022 • 9 tweets • 3 min read
You may have noticed lately a lot of talk of MOTW (Mark of the Web). The reason why this is important is because of Microsoft's changes that are rolling out this year to set the default treatment of files containing macros(VBA/XLM4.0) from the Internet to being blocked. 🧵1/x
We all cheered the changes from Microsoft on the default treatment of macros first for Excel 4.0 macros and then later for VBA macros. XLM announcement: techcommunity.microsoft.com/t5/excel-blog/… VBA announcement: docs.microsoft.com/en-us/deployof… 2/x
Jan 1, 2022 • 9 tweets • 3 min read
#Microsoft and #Exchange starting off 2022 with a 💣as of 00:00UTC with freezing transport of all emails flowing through it On-Prem due to failure converting the new date... 🤦♂️. Solution is to disable the AntiMalware Scanning temporarily via Disable-Antimalwarescanning.ps1. 1/x
This is very bad because of the time this is happening and how many people are off for the holidays. Essentially any server that has this issue will defer all mail until this is rectified. H/T to @miketheitguy for the solution:
MS Office ActiveX CVE-2021-40444 summary:
🎯No macros needed - normal detections & mitigations fail.
🎯No word from MS on patch ETA
🎯Can in some cases be executed in Explorer Preview mode. (RTF older O365 client?) - h/t -