Microsoft thwarts hackers with disabled App Installer, stopping malware installs.

Microsoft has disabled the ms-appinstaller protocol handler after threat actors were observed spreading malware using this method. The protocol handler can bypass security measures, such as Microsoft Defender SmartScreen, and built-in browser alerts for downloading executable files, making it an attractive vector for malware distribution. Microsoft Threat Intelligence has identified App Installer as a point of entry for human-operated ransomware activities by several threat actors. These threat actors have been using various techniques, including spoofing legitimate applications and tricking users into installing malicious packages that appear to be legitimate. Microsoft has observed instances where search engine optimization (SEO) poisoning was used to spread malware, with threat actors impersonating websites that offered legitimate downloads. Financially motivated threat actors have also been using search ads that mimic legitimate applications, such as Zoom, to distribute malware. Microsoft recommends implementing phishing-resistant user authentication techniques, educating Microsoft Teams users to verify external tagging on communication attempts, and encouraging the use of browsers that support Microsoft Defender SmartScreen.