Defending Against SettingContent-MS being used in MS Office and PDF Files


SettingContent-ms is an XML file that allows users to create a shortcut to Windows 10 setting pages. Recently a serious vulnerability was published by Matt Nelson, a researcher at SpecterOps. Only a week after his report, it was observed that SettingContent-ms was also being used in PDF files in addition to MS Word documents. TA505, a well-known threat actor for malware campaigns, started utilizing the vulnerability in the wild. This is a type of attack, CDR (Content Disarm and Reconstruction) technology can easily handle. CDR can easily remove OLE objects and JavaScript from MS Office and PDF documents and completely prevent this threat.

SettingContent-MS can Easily be Delivered as a Payload using OLE

Object Linking & Embedding (OLE) is a well-known Microsoft developed technology that allows embedding and linking to documents and other objects. OLE objects have been one of the favorite ways that attackers use to deliver malicious payloads to users. A SettingContent-ms object is particularly significant since this attack will not be blocked by Packager objects in Office 365 applications or the Attack Surface Reduction feature available in Windows 10 which was introduced as a defense mechanism for this type of OLE attack.

CDR Easily Removes Threats from Exploitable (OLE) Objects

Like macro-based attacks and macro-less attacks, OLE objects are heavily utilized for delivering malware payloads. Data Sanitization (CDR) is a technology that can remove exploitable objects such as macros and OLE objects, without losing any key functionality such as search and editing functionality, as well as retaining all text and image information. 

Demo of How Data Sanitization (CDR) Works to Defend Against a SettingContent-ms Attack

Case 1: Proof of Concept: SettingContent-ms Attack Using a Microsoft Office File,

This video is a proof of concept video that shows how an attacker can use SettingContent-ms in a DOCX file to attack a victim and how OPSWAT Data Sanitization removes the malware threat.

Case 2: Proof of Concept video that shows how a PDF file is used to distribute FlawedAmmyy RAT. This use case was discovered by the Proofpoint team.


Special thanks to Vinh Lam, OPSWAT Software Architect, for preparing the proof of concept demos. 

For more details about how CDR works, please refer to