A couple of weeks ago, Johannes gave me a malicious ISO file he had received: an ISO file containing a PE file.

And that made me wonder: "has Microsoft changed the behavior of Windows or Office when it handles untrusted ISO files?"

Years ago, at the ISC, we started to see malicious ISO files. Since Windows 10 (and later) supports mounting of ISO files, and that the "mark-of-web" is often not propagated to the contained files, it is a way to bypass Protected View in Office.

For example: create a maldoc (Word with VBA), put it inside an ISO file, and email the ISO file to your targets. The victims open the email & attachment: the attached ISO is saved to disk and marked as untrusted (coming from the Internet) and then opened. Then the victims open the contained Word document: it is not opened in Protected View, the yellow SECURITY WARNING banner appears immediately.

This behavior has changed now. If you are using Office 2021, or Office 2019 that you have updated since August 2021, then the document is now opened in ProtectedView:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com