Attackers are always on the lookout for new ways to infiltrate systems and networks. Not long after security researcher Matt Nelson detailed a way to abuse the .settingcontent-ms file format to load shell commands, cybercriminals experimented with ways to use this technique in attacks.
Microsoft 365 has multiple layers of defense against this new attacker technique. These protections include mitigations in Office 365, as well as detection and investigation capabilities in the Windows Defender Advanced Threat Protection (Windows Defender ATP) unified security platform.
By default, Office 365 applications will block.settingcontent-ms objects inside documents. This is meant to defeat social engineering attacks that embed malicious executables or scripts (for example, .exe, .js, .vbs files) in Office documents.Outlook uses the same list of blocked file extensions to block attachments.
Figure 1. Office 365 apps will not allow the activation of objects that link to file name extensions considered high risk
Attack surface reduction
Attack surface reduction capabilities in Windows Defender ATP provide a set of built-in intelligence that can block underlying behaviors used by malicious documents. The following Attack surface reduction rules, updated immediately after the attacker technique was made public, protect against attacks that use documents with .settingcontent-ms objects:
Block Office applications from creating child processes (D4F940AB-401B-4EFC-AADC-AD5F3C50688A)
Block Office applications from creating executable content (3B576869-A4EC-4529-8536-B80A7769E899)
In addition, the following rule, available in preview, protects against malicious .pdf files with embedded .settingcontent-ms objects:
Block Adobe Reader from creating child processes (7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c)
The following rule, also in preview, protects against emails that have .settingcontent-ms objects embedded:
Block Office communication applications from creating child processes (26190899-1602-49e8-8b27-eb1d0a1ce869)
Antivirus capabilities in Windows Defender ATP detect and block malicious .settingcontent-ms files as Trojan:O97M/DPlink.A.
Figure 3. Alert raised in Windows Defender Security Center for Trojan:O97M/DPlink.A
Endpoint detection and response
Endpoint detection and response capabilities in Windows Defender ATP allow security operations personnel to monitor and investigate malicious .settingcontent-ms threats in the network. Using the alert from the antivirus detection, SecOps can pivot to machine timeline and trace the process tree to investigate related events (e.g., file creation) and remediate attacks.
Figure 4. Process tree for a sample .settingcontent-ms file extension in machine timeline
To hunt for possible threats that leverage malicious .settingcontent-ms files in the network, SecOps can use Advanced hunting capabilities in Windows Defender ATP. The Advanced hunting query experience is integrated into the existing Windows Defender ATP investigation experience, making proactive hunting for possible threats more effective.
Figure 5. Sample Advanced hunting query that returns file creation events where file name ends with .settingcontent-ms and initiating process is a browser, Outlook, or explorer.exe.
As a reminder you can find the above query and many more samples Advanced hunting queries in our GitHub repository.