Mark-Of-The-Web Bypass with 7-zip


In 2022, Microsoft restricted the usage macros in office documents downloaded from the internet, a major leap forward to reduce the popular maldoc attack surface. However, attackers could still overcome this Mark-Of-The-Web restriction by packing the malicious document in a container, such as zip or ISO files. Upon extraction, the macro-enabled document would not appear to be downloaded from the internet and the evil macros can be executed. Tools like PackMyPayload demonstrate this concept.


The popular 7-zip software is one of the possibilities to bypass Mark-Of-The-Web. An attacker can simply 7-zip the malicious Word document and provide the victim with instructions to extract it via 7-zip, which would result in a macro-enabled document.


For example, the attacker could reply to a job posting and send his resume in an attached 7-zip file, with specific instructions on how to extract the document via 7-zip.


Pepper, the hiring manager who has 7-zip installed, can simply double-click the file and press "Open".

This would automatically open the archive with 7-zip.

From here, a simple drag-and-drop to desktop is enough to avoid Mark-Of-The-Web.


After opening the document, the victim is presented with a classic encouragement to Enable Content. Additionally, the CV appears to be encrypted for GDPR reasons. One can never have enough protection layers for his personal data!

When the victim follows the instructions, a legitimate-looking resume appears.


However, in the backend the malicious macro replaced a DLL on disk in a Microsoft Teams directory. This causes Teams to load the attacker's malware the next time the program starts.

DLL Proxying was used to preserve the functionality original DLL and the malicious DLL loaded encrypted Command and Control shellcode, embedded in a remote png on a webserver via steganography.

In this case, a Brute Ratel C2 session was started in Microsoft Teams.


In this article, we demonstrated that office macros can still be used to establish an initial foothold on a victim's machine through the use of containers to deliver the payload. However, it has become harder and takes more effort to convince the victim, which is definitely a step in the right direction!

Last updated