eSentire White Logo

Security advisories | Feb 27, 2019

DeepLink – Macro-less Phishing

eSentire Threat Intelligence is aware of a recently discovered code execution technique affecting hosts running the Windows 10 operating system [1]. The Threat Intelligence team assesses with medium confidence that this technique does not pose an immediate threat to customers. Public samples examined by the eSentire Threat Intelligence team showed that antivirus solutions such as Windows Defender have released signatures to detect and block the DeepLink technique. At this time, eSentire has not observed threats employing this technique against eSentire customers. Should this change, eSentire Threat Intelligence will reassess the severity of this threat.

What we’re doing about it

  • Current esENDPOINT rules will detect known uses of this technique for customers with this service
  • Current esRECON checks identify assets with antivirus signatures out-of-date

What you should do about it

  • Update antivirus signatures
  • Conduct user awareness training around phishing and opening documents from unknown or suspicious sources
  • Implement a policy of least privilege [2]

Additional Information

  • By embedding Setting Content files inside Office documents (OLE) and PDFs (JavaScript/Embedded File), threat actors can achieve code execution without the use of document macros.
  • In Windows 10, Setting Content files (.SettingContent-ms) are XML configuration files used to create shortcuts to the Windows Control Panel. The configuration file contains a parameter called DeepLink that can be used to execute code.
  • When a user opens the malicious document, no additional security warnings or message boxes occur, making the attack less obvious to end users. During testing, Windows Defender, with Virus definition version - 1.271.491.0 or higher, detected and blocked malicious documents employing the DeepLink technique.
  • Below is a malicious Setting Content file that was embedded inside a PDF (Figure 1). Using the DeepLink parameter, it retrieved a malicious executable from a remote host.

Figure 1: A Setting Content File embedded inside a PDF

[image src="/assets/9e9fc3af4a/deeplink-macro-less-phishing-setting-content-file-embedded-inside-a-pdf.png" id="2022" width="607" height="210" class="leftAlone ss-htmleditorfield-file image" title="deeplink macro less phishing setting content file embedded inside a pdf" alt="deeplink macro less phishing setting content file embedded inside a pdf screen shot of code"]


[1] The Tale of Setting Content-MS Files

[2] US-CERT website archive Least Privilege