On Friday, Microsoft announced it has temporarily disabled the MSIX protocol handler in Windows systems due to the exploitation of this feature by Emotet and BazaarLoader malware.
The mx-appinstaller protocol allows for the downloading of MSIX files across the Internet. First, an XML manifest is served, and then the endpoint retrieves only the files that are needed, saving bandwidth and disk space. Threat actors are currently exploiting this mechanism via phishing attacks that spoof the signatures in MSIX package files. For example, on malicious sites, users are prompted to download an “Adobe PDF Component” which is supposedly necessary to view the purportedly urgent document mentioned by the phishing email. However, this link to the PDF component was actually an “ms-appinstaller://” link that installed a version of the BazaarLoader malware. No date was given for the resumption of the mx-appinstaller protocol.