Security News > 2022 > February > Microsoft disables MSIX protocol handler abused in Emotet attacks

Microsoft has disabled the MSIX ms-appinstaller protocol handler exploited in malware attacks to install malicious apps directly from a website via a Windows AppX Installer spoofing vulnerability.
The likely reason for disabling the protocol altogether is to protect all Windows customers, including those who haven't yet installed the December security updates or applied the workarounds.
"We are actively working to address this vulnerability. For now, we have disabled the ms-appinstaller scheme. This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer," said Microsoft Program Manager Dian Hartono.
As BleepingComputer reported, Emotet started spreading and infecting Windows 10 and Windows 11 systems in early December using malicious Windows AppX Installer packages camouflaged as Adobe PDF software.
While it looks like a legitimate Adobe app, App Installer will download and install a malicious appxbundle hosted on Microsoft Azure when the user clicks the Install button.
You can find more information, including the way Emotet abused the built-in Windows App Installer feature during the campaign, in our previous report.
News URL
Related news
- New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint (source)
- Hidden Threats: How Microsoft 365 Backups Store Risks for Future Attacks (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)
- Microsoft Defender will isolate undiscovered endpoints to block attacks (source)