Content of SettingContent-ms file

Microsoft has updated the list of dangerous files it blocks inside Office 365 documents, and has added the ".SettingContent-ms" file format to that list.

The SettingContent-ms file format is a special "shortcut" file that opens Microsoft's new Windows Settings panel that it launched with the release of Windows 8 and which is featured primarily in Windows 10 over the old Control Panel system.

Malware authors were experimenting with SettingContent-ms files

Microsoft took the decision to block SettingContent-ms files inside Office 365 after a security researcher published a report in June showing how someone could embed these files inside Office documents and achieve remote code execution on Windows 10.

Malware authors didn't stand idly and have been experimenting with the technique for the past month, albeit no serious malspam campaign has used it until now.

But Microsoft's Office 365 team didn't want to stand by and wait for one to take the place. This week, the company's engineers updated the Packager Activation list.

The Packager Activation list is a collection of "dangerous files" that Microsoft blocks users from embedding inside Office documents via the OLE (Object Linking and Embedding) feature.

This list now includes 108 "dangerous" file extensions. Besides ContentSetting-ms, the list also contains classic file formats such as CHM, EXE, HTA, JS, MSI, VBS, WSF, and all the different PowerShell extensions. If users open a Word file containing an OLE object that tries to run one of these malicious file types, an error like the following will appear on the user's screen.

OLE blocked message

The Microsoft "Packager Activation in Office 365 desktop applications" FAQ page includes information on how someone can customize this list and remove extensions or add more.

Change will most likely trickle down to

Historically, has blocked email file attachments using the same list Office has used to block OLE activation.

This means malware authors won't be able to send SettingContent-ms files to users as well. Nonetheless, most email attachments that carry malware nowadays are never sent in the clear, and the malicious files are almost always hidden in double-zipped or password-protected archives.

The Packager Activation list for Office 365 can also be ported to older Office versions using a registry key system, detailed here.

Related Articles:

Microsoft's Background Blur for Microsoft Teams is now Generally Available

Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day

New Windows 10 Preview Build 17755 & Your Phone Updated with SMS Support

New Windows 10 October 2018 Preview Build 17754 Released

Microsoft To-Do App Updated for Insiders With Inking Support on Windows 10