June 17, 2024

Microsoft is warning that unhealthy actors, together with these financially motivated, are utilizing App Installer to distribute malware.

Microsoft Menace Intelligence says unhealthy actors have been utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware since not less than mid-November 2023. Microsoft has disabled the protocol handler in an effort to fight its abuse.

The noticed risk actor exercise abuses the present implementation of the ms-appinstaller protocol handler as an entry vector for malware that will result in ransomware distribution. A number of cybercriminals are additionally promoting a malware package as a service that abuses the MSIX file format and ms-appinstaller protocol handler. These risk actors distribute signed malicious MSIX software packages utilizing web sites accessed by means of malicious commercials for official standard software program. A second vector of phishing by means of Microsoft Groups can be in use by Storm-1674.

Menace actors have doubtless chosen the ms-appinstaller protocol handler vector as a result of it may well bypass mechanisms designed to assist preserve customers protected from malware, corresponding to Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file codecs.

The assaults are particularly harmful for Groups customers, for the reason that unhealthy actors are spoofing official Microsoft pages.

Because the starting of December 2023, Microsoft recognized situations the place Storm-1674 delivered pretend touchdown pages by means of messages delivered utilizing Groups. The touchdown pages spoof Microsoft companies like OneDrive and SharePoint, in addition to different firms. Tenants created by the risk actor are used to create conferences and ship chat messages to potential victims utilizing the assembly’s chat performance.

Extra info will be discovered right here, together with detailed evaluation of the assault. Within the meantime, Microsoft says organizations ought to educate Groups customers to have the ability to determine and shield themselves from this exploit.

Educate Microsoft Groups customers to confirm ‘Exterior’ tagging on communication makes an attempt from exterior entities, be cautious about what they share, and by no means share their account info or authorize sign-in requests over chat.