Microsoft warns that malicious actors, including financially motivated attackers, are using App Installer to distribute malware.
According to Microsoft Threat Intelligence, malicious actors have been using the ms-appinstaller URI scheme (app installer) to distribute malware since at least mid-November 2023. Microsoft has disabled the protocol handler to combat that exploit.
The observed threat actor activity could exploit the current implementation of the ms-appinstaller protocol handler as an access vector for malware, potentially leading to ransomware distribution. Several cybercriminals are selling malware kits as a service that exploit the MSIX file format and the ms-appinstaller protocol handler. These attackers use websites accessed through malicious advertisements for legitimate popular software to distribute signed malicious MSIX application packages. His second vector of phishing via Microsoft Teams is also used by Storm-1674.
Threat actors chose the ms-appinstaller protocol handler vector because it allows them to bypass mechanisms designed to protect users from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloading executable file formats. It’s possible.
This attack is especially dangerous for Teams users because the attacker is impersonating a legitimate Microsoft page.
Since early December 2023, Microsoft has identified instances where Storm-1674 distributed fake landing pages through messages delivered using Teams. The landing pages impersonate Microsoft services such as OneDrive and SharePoint, as well as other companies. Tenants created by threat actors are used to create meetings and send chat messages to potential victims using the meeting’s chat functionality.
More information, including a detailed analysis of the attack, can be found here. In the meantime, Microsoft says organizations should educate their Teams users so they can identify and protect against this exploit.
Educate Microsoft Teams users to check for “external” tagging on communication attempts from external entities, be careful about what they share, and not share account information or approve sign-in requests via chat.