Content of SettingContent-ms file

Microsoft has updated the list of dangerous files it blocks inside Office 365 documents, and has added the ".SettingContent-ms" file format to that list.

The SettingContent-ms file format is a special "shortcut" file that opens Microsoft's new Windows Settings panel that it launched with the release of Windows 8 and which is featured primarily in Windows 10 over the old Control Panel system.

Malware authors were experimenting with SettingContent-ms files

Microsoft took the decision to block SettingContent-ms files inside Office 365 after a security researcher published a report in June showing how someone could embed these files inside Office documents and achieve remote code execution on Windows 10.

Malware authors didn't stand idly and have been experimenting with the technique for the past month, albeit no serious malspam campaign has used it until now.

But Microsoft's Office 365 team didn't want to stand by and wait for one to take the place. This week, the company's engineers updated the Packager Activation list.

The Packager Activation list is a collection of "dangerous files" that Microsoft blocks users from embedding inside Office documents via the OLE (Object Linking and Embedding) feature.

This list now includes 108 "dangerous" file extensions. Besides ContentSetting-ms, the list also contains classic file formats such as CHM, EXE, HTA, JS, MSI, VBS, WSF, and all the different PowerShell extensions. If users open a Word file containing an OLE object that tries to run one of these malicious file types, an error like the following will appear on the user's screen.

OLE blocked message

The Microsoft "Packager Activation in Office 365 desktop applications" FAQ page includes information on how someone can customize this list and remove extensions or add more.

Change will most likely trickle down to Outlook.com

Historically, Outlook.com has blocked email file attachments using the same list Office has used to block OLE activation.

This means malware authors won't be able to send SettingContent-ms files to Outlook.com users as well. Nonetheless, most email attachments that carry malware nowadays are never sent in the clear, and the malicious files are almost always hidden in double-zipped or password-protected archives.

The Packager Activation list for Office 365 can also be ported to older Office versions using a registry key system, detailed here.

Related Articles:

Windows 10 Control Center Maybe Still In Development Based on Screenshot in MS Store

Microsoft to Block Flash in Office 365

Microsoft Released Windows 10 Cumulative Updates KB4345421 & KB4345420

Microsoft to Retire Windows 10 Delta Updates in 2019

Microsoft Releases New Office Update for Android With New Features