Content of SettingContent-ms file

Microsoft has updated the list of dangerous files it blocks inside Office 365 documents, and has added the ".SettingContent-ms" file format to that list.

The SettingContent-ms file format is a special "shortcut" file that opens Microsoft's new Windows Settings panel that it launched with the release of Windows 8 and which is featured primarily in Windows 10 over the old Control Panel system.

Malware authors were experimenting with SettingContent-ms files

Microsoft took the decision to block SettingContent-ms files inside Office 365 after a security researcher published a report in June showing how someone could embed these files inside Office documents and achieve remote code execution on Windows 10.

Malware authors didn't stand idly and have been experimenting with the technique for the past month, albeit no serious malspam campaign has used it until now.

But Microsoft's Office 365 team didn't want to stand by and wait for one to take the place. This week, the company's engineers updated the Packager Activation list.

The Packager Activation list is a collection of "dangerous files" that Microsoft blocks users from embedding inside Office documents via the OLE (Object Linking and Embedding) feature.

This list now includes 108 "dangerous" file extensions. Besides ContentSetting-ms, the list also contains classic file formats such as CHM, EXE, HTA, JS, MSI, VBS, WSF, and all the different PowerShell extensions. If users open a Word file containing an OLE object that tries to run one of these malicious file types, an error like the following will appear on the user's screen.

OLE blocked message

The Microsoft "Packager Activation in Office 365 desktop applications" FAQ page includes information on how someone can customize this list and remove extensions or add more.

Change will most likely trickle down to

Historically, has blocked email file attachments using the same list Office has used to block OLE activation.

This means malware authors won't be able to send SettingContent-ms files to users as well. Nonetheless, most email attachments that carry malware nowadays are never sent in the clear, and the malicious files are almost always hidden in double-zipped or password-protected archives.

The Packager Activation list for Office 365 can also be ported to older Office versions using a registry key system, detailed here.

Related Articles:

Windows 10 Insider Build 18298 Brings New Features and Improvements

Windows 10 Testing New Conversational Date Format in File Explorer

Edge Browser Can Now Sign Into Microsoft Accounts With FIDO2 Security Keys

Erratic Windows 10 Bug Breaks Changing of Default File Associations

Microsoft Bug is Deactivating Windows 10 Pro Licenses and Downgrading to Home