Microsoft disables feature after abuse by threat actors

Application developers relying on Windows’ App Installer feature for distributing software over the web will have to find another vehicle, after Microsoft disabled a key protocol because it is being abused by threat actors.

Microsoft said Thursday it has disabled the ms-appinstaller protocol handler by default because at least four groups have been using it in the past two months to distribute malware.

It’s the second time in two years that Microsoft has blocked this protocol because of abuse.

The protocol allows developers to send links that start with ms-appinstaller:// rather than the more familiar http:// or https://  to trigger Microsoft’s App Installer system that orchestrates a download process.

Not only are threat groups abusing the protocol, multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format. These threat actors distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software.

“Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats,” Microsoft says.

In one example of abuse, a gang is spreading malware by fooling people using search engines to find legitimate software such Zoom, Tableau, TeamViewer, and AnyDesk. Victims who click on links to these sites after doing a search go to a landing page spoofing the original software provider’s landing pages that include links to malicious installers through the ms-appinstaller protocol. The victim sees a popup box that says, for example, “Install Zoom?”. The box includes an “Install” button. One tip this is a scam: The box says the app publisher is “Legion LLC” instead of Zoom Communications.

Another gang is distributing so-called versions of Adobe Acrobat Reader. It first serves a message that the victim’s computer needs an update. A popup box says “Install Adobe Protected PDF Viewer?” Again, one sign this is a fraud is the Publisher is an unknown company instead of Adobe.

Infosec leaders should warn employees about the risks of downloading and installing applications without approval. Users should also be educated to use the browser URL navigator to validate that, upon clicking a link in search results, they have arrived at an expected legitimate domain. They should also be told to verify that the software that is being installed is expected to be published by a legitimate publisher.

It also helps to have phishing-resistant authentication processes.

The threat actors using this tactic are Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.