Mark of the Web (MOTW) - Challenges, Bypass Methods, and Solutions

Logo
Presented by

Arnold Osipov, Malware Researcher and Michael Gorelik, CTO

About this talk

Microsoft identifies Office documents originating from an email attachment or the internet with a Mark of the Web (MOTW). Used by other applications such as Windows Defender SmartScreen, and other security tools as well, MOTW labels a document as being from an untrusted location to an application opening the file, enabling it to block macros and active content, and to apply other policies to the file. This fall, Microsoft announced it would block macros by default in Office documents downloaded from the internet, and on November 8th Microsoft announced that MOTW will propagate into file containers such as .ISO, .IMG, .ZIP and other archives. While these policies improve security, MOTW is prone to vulnerabilities, and threat actors are adapting their tactics to continue using weaponized content as a primary attack vector on organizations. Watch this webinar on-demand to hear directly from our Threat Labs team. In this virtual event, Morphisec's expert threat researchers review Microsoft’s new policies, the security efficacy provided by MOTW, and present methods attackers use to bypass these mechanisms. These include tampering with the file certificates to avoid MOTW inspection, social engineering, and other techniques. We provide technical explanations with real-world examples based on Morphisec’s Threats Lab data, so you can understand how threats are shifting, and plan accordingly.
Related topics:

More from this channel

Upcoming talks (0)
On-demand talks (40)
Subscribers (1984)
Morphisec offers prevention-first cybersecurity from endpoint to the cloud. Morphisec provides real-time risk visibility and secures device memory at runtime to stop the most damaging, undetectable attacks. This includes ransomware, supply chain attacks, fileless attacks, zero-days, and other advanced, stealthy, evasive attacks. Morphisec's Automated Moving Target Defense (AMTD) technology provides a lightweight, Defense-in-Depth security layer to augment solutions like NGAV, EPP, and EDR/XDR and close their runtime memory security gap against undetectable cyberattacks.