On 3 March 2022, Microsoft announced that the default behavior of Office applications on Windows will be changed to block macros in files from the internet (such as email attachment).
An excerpt from the announcement:
VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the internet.
...
This change only affects Office on devices running Windows and only affects the following applications: Access, Excel, PowerPoint, Visio, and Word.
The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Current Channel and Monthly Enterprise Channel.
This is a great improvement of defense against malicious Office document files.
According to the announcement, whether blocking macro or not is determined based on MOTW (Mark of the Web) attribute of the file. Applications such as web browsers and email clients put MOTW on downloaded files and email attachments that come from the internet. MOTW is stored in Zone.Identifier NTFS alternate data stream.
To block macro of malicious Office document files that are extracted from archive files, an archiver software has to propagate MOTW to extracted files when an archive file has MOTW. If archiver software does not propagate MOTW, malicious Office documents in archive files can circumvent blocking.
A question came up: "What archiver software can propagate MOTW to extracted files?" So I tested some archiver software and summarized the result.
Name | Tested version | License | MOTW propagation | Note |
---|---|---|---|---|
"Extract all" built-in function of Windows Explorer | Windows 10 21H2 | proprietary | Yes ✔️ | |
Bandizip | Standard Edition 7.25 | freeware | Yes ✔️ | Only for specific file extensions *1 |
Explzh | 8.63 | proprietary for commercial use | Yes ✔️ | |
WinRAR | 6.11 (trial) | proprietary | Yes ✔️ | Only for specific file extensions *2 |
WinZip | 26.0 (trial) | proprietary | Yes ✔️ | |
7-Zip | 21.07 | GNU LGPL | No ❌ | |
Ashampoo ZIP Free | 1.0.7 | freeware (registration required) | No ❌ | |
CAM UnZip | 5.2.1.0 | proprietary for commercial use | No ❌ | |
CubeICE | 1.1.1 | freeware | No ❌ | |
IZArc | 4.5 | freeware | No ❌ | |
LhaForge | 1.6.7 | MIT | No ❌ | |
Lhaplus | 1.74 | freeware | No ❌ | |
NanaZip | 1.1.194.0 | MIT | No ❌ | |
PeaZip | 8.6.0 | GNU LGPL | No ❌ | |
PowerArchiver | 21.00.15 (trial) | proprietary | No ❌ | |
StuffIt Expander | 15.0.8 | freeware | No ❌ | |
ZipGenious | 6.3.2.3116 | freeware | No ❌ | |
Zipware | 1.6 | freeware | No ❌ |
*1: Accoring to the document of Bandizip, Bandizip propagates MOTW to files with the following file extensions:
- .exe .com .msi .scr .bat .cmd .pif .bat .lnk
- .zip .zipx .rar .7z .alz .egg .cab .bh
- .iso .img .isz .udf .wim .bin .i00
- .js .jse .vbs .vbe .wsf
- .url .reg
- .docx .doc .xls .xlsx .ppt .pptx .wiz
I previously tested Bandizip with a ZIP archive file that contained only text files, and I misunderstood that Bandizip does not propagate MOTW.
*2: Jernej Simončič (@jernej__s) kindly contacted the developer of WinRAR and got the answer that WinRAR propagates MOTW only to Microsoft Office document files. It seems that the supported file types are not documented. I did additional tests with WinRAR 6.11 and confirmed that it propagates MOTW to document files of Word, Excel, and PowerPoint (files of Access and Publisher are not supported).
I previously tested WinRAR with a ZIP archive file that contained only text files, and I misunderstood that WinRAR does not propagate MOTW.
-
Please see these blog articles:
- Details about the Mark-of-the-Web (MOTW) by Mike Wolfe (@NoLongerSet)
- Downloads and the Mark-of-the-Web by Eric Lawrence (@ericlaw)
- Mark-of-the-Web from a red team’s perspective by Stan Hegt (@stanhacked)
They are very helpful to understand it.
-
Please provide your test result from Issues or Pull requests. Because I am Japanese, the comparison table contains some Japanese archiver software that you may not know.
-
Please see Details about the Mark-of-the-Web (MOTW). It compares behavior of the built-in Windows unzip utility and 7-zip. You can test your favorite archiver software in a similar fashion.
I created PS-MOTW, PowerShell scripts to manually set / show / remove MOTW. You can use it for testing archiver software.
-
Please provide the details from Issues or the fix from Pull requests. I am happy to fix it.
-
Yes. If the file format of a disk image file does not support NTFS alternate data stream, MOTW is not set for the files in the disk image file. Please see also the following:
- Mark-of-the-Web from a red team’s perspective by Stan Hegt (@stanhacked)
- The Dangers of VHD and VHDX Files by Will Dormann (@wdormann)
- Subvert Trust Controls: Mark-of-the-Web Bypass (an article in MITRE ATT&CK knowledge base).
Update on 11 April 2022:
According to the blog article .ISO Files With Office Maldocs & Protected View in Office 2019 and 2021 by Didier Stevens (@DidierStevens), Office 2019 and 2021 use protected view to open Office document stored inside an ISO file with MOTW. This behavior was introduced in August 2021.
-
Macros from the internet will be blocked by default in Office
https://docs.microsoft.com/en-us/deployoffice/security/internet-macros-blocked -
Details about the Mark-of-the-Web (MOTW)
https://nolongerset.com/mark-of-the-web-details/ -
Downloads and the Mark-of-the-Web
https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ -
Mark-of-the-Web from a red team’s perspective
https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/ -
The Dangers of VHD and VHDX Files
https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/ -
Subvert Trust Controls: Mark-of-the-Web Bypass
https://attack.mitre.org/techniques/T1553/005/
Nobutaka Mantani (@nmantani)