Microsoft Disables MSIX Protocol Handler Amid Rising Malware Threats

Security hero image

Key Takeaways:

  • Microsoft has disabled the MSIX ms-appinstaller protocol handler by default due to ongoing exploitation by threat actors.
  • Cybercriminals exploit the ms-appinstaller protocol handler to distribute malware through malicious websites.
  • Microsoft recommends installing App Installer version 1.21.3421.0 to block exploitation attempts.

Microsoft has disabled the MSIX ms-appinstaller protocol handler by default due to active exploitation by financially motivated threat groups. The Windows feature, intended for installing applications directly from web servers, now acts as a pathway for deploying malware on Windows systems.

The ms-appinstaller protocol is a Windows feature that allows users to install applications directly from a web server. When a user clicks on an ms-appinstaller link, the Windows system downloads a small XML file containing information about the app (the name, publisher, and version) and a link to the app’s MSIX package.

In recent months, Microsoft has observed that cybercriminals (including groups like Storm-0569, Storm-1113, Storm-1674, and Sangria Tempest) exploit the ms-appinstaller protocol handler to distribute malware. These hackers use malicious advertisements to lure users into visiting websites from where they distribute malicious MSIX application packages. Additionally, attackers use Microsoft Teams to launch phishing campaigns.

“Multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format and ms-app installer protocol handler,” the Microsoft Threat Intelligence team explained. “The observed activity includes spoofing legitimate applications, luring users into installing malicious MSIX packages posing as legitimate applications, and evading detections on the initial installation files.”

Microsoft Disables MSIX Protocol Handler Amid Rising Malware Threats
A malicious landing page spoofing Zoom accessed via malicious search engine advertisement for Zoom downloads

Microsoft noted that the hackers opted for the ms-appinstaller protocol handler because it can be used to bypass malware protection capabilities in Windows. These include Microsoft Defender SmartScreen and the warnings for downloads of executable file formats in web browsers.

App Installer Exploited in Emotet, BazarLoader Attacks

Microsoft patched the CVE-2021-43890 Windows AppX Installer spoofing vulnerability back in December 2021. The attackers exploited the security flaw to install specially crafted packages and deploy the Emotet/Trickbot/Bazaloader malware families.

Last year, Microsoft temporarily disabled the MSIX protocol handler to protect Windows devices. According to cybersecurity researcher Will Dormann, the patch for CVE-2021-43890 was accidentally removed again in April 2023, leaving Windows 10 and 11 machines vulnerable to malware attacks.

Recommendations

Microsoft recommends customers to install App Installer version 1.21.3421.0 to mitigate potential risks. However, IT admins who want to use the ms-appinstaller protocol can set the Group Policy “EnableMSAppInstallerProtocol” to “Disabled.”

Lastly, Microsoft advises organizations to use phishing-resistant authentication methods and configure conditional access (CA) policies. It’s also important to enable advanced security mechanisms in Microsoft Defender for Office 365, as well as train employees regarding secure usage of Microsoft Teams and the web browser.