Microsoft identifies Office documents originating from an email attachment or the internet with a Mark of the Web (MOTW). Used by other applications such as Windows Defender SmartScreen, and other security tools as well, MOTW labels a document as being from an untrusted location to an application opening the file, enabling it to block macros and active content, and to apply other policies to the file. This fall, Microsoft announced it would block macros by default in Office documents downloaded from the internet, and on November 8th Microsoft announced that MOTW will propagate into file containers such as .ISO, .IMG, .ZIP and other archives.
While these policies improve security, MOTW is prone to vulnerabilities, and threat actors are adapting their tactics to continue using weaponized content as a primary attack vector on organizations.
Watch this webinar on-demand to hear directly from our Threat Labs team. In this virtual event, Morphisec's expert threat researchers review Microsoft’s new policies, the security efficacy provided by MOTW, and present methods attackers use to bypass these mechanisms. These include tampering with the file certificates to avoid MOTW inspection, social engineering, and other techniques. We provide technical explanations with real-world examples based on Morphisec’s Threats Lab data, so you can understand how threats are shifting, and plan accordingly.
Michael Gorelik, CISSP | CTO, Morphisec
Arnold Osipov | Malware Researcher, Morphisec