You may have noticed lately a lot of talk of MOTW (Mark of the Web). The reason why this is important is because of Microsoft's changes that are rolling out this year to set the default treatment of files containing macros(VBA/XLM4.0) from the Internet to being blocked. 🧵1/x We all cheered the changes from Microsoft on the default treatment of macros first for Excel 4.0 macros and then later for VBA macros. XLM announcement: techcommunity.microsoft.com/t5/excel-blog/… VBA announcement: docs.microsoft.com/en-us/deployof… 2/x

#Microsoft and #Exchange starting off 2022 with a 💣as of 00:00UTC with freezing transport of all emails flowing through it On-Prem due to failure converting the new date... 🤦‍♂️. Solution is to disable the AntiMalware Scanning temporarily via Disable-Antimalwarescanning.ps1. 1/x

https://twitter.com/miketheitguy/status/1477097527593734144

This is very bad because of the time this is happening and how many people are off for the holidays. Essentially any server that has this issue will defer all mail until this is rectified. H/T to @miketheitguy for the solution:

https://twitter.com/miketheitguy/status/1477109221145473026

2/x

MS Office ActiveX CVE-2021-40444 summary:
🎯No macros needed - normal detections & mitigations fail.
🎯No word from MS on patch ETA
🎯Can in some cases be executed in Explorer Preview mode. (RTF older O365 client?) - h/t -

https://twitter.com/buffaloverflow/status/1435607956205326336

1/x 🎯Defender defs of 1.349.22.0+ (9/2) should catch it if AV is used. MS Identifies as O97M/Donoff.SA (may be ways to mitigate detection)

https://twitter.com/GossiTheDog/status/1435712249516146688

🎯These are normal docx files & not anything special.
🎯Supposedly Protected mode and/or App Guard will prevent it.
2/x