How to prevent sideloading attacks in Windows and Office 365

Attackers know how to manage and monitor our systems better than we do. They will analyse how best to gain entrance to our networks. 

Attackers have found yet another way to deploy malware into our networks: a process called sideloading. Sideloading is the installation of an app onto a device from a trusted source such as the Microsoft Store. Attackers can exploit the process by convincing users they are installing a trustworthy app that actually carries a malicious payload.

Sophos recently blogged about an attack that attempted to trick Sophos staff with a targeted email and then used sideloading to install a custom application hosted on the Microsoft Store (now removed). 

The application would have installed malware and ransomware into a network. We’ve also seen attackers use Office 365 third-party applications to gain access to a network and steal key information. So, what options do users have to block and defend themselves from sideloading attacks?

Teach users to spot risks

First, end user education is a key way to keep the network secure. An appropriately paranoid end-user will often stop, think and not click on something and send the offending email to the help desk to review. I also recommend that customers perform phishing simulations to see if their users are phishing aware.

Block sideloading attacks using Intune

Users can block sideloading using Group Policy, registry settings or Intune settings. In Intune, users can set a Windows 10 Device restriction policy with these steps:

• Create the profile in Microsoft Endpoint Manager Administrative Center.
• Select in order “Devices”, “Configuration profiles” and “Create profile”.
• In “Platform”, choose “Windows 10 and later”.
• In the “Profile” section, select “Device restrictions” or select “Templates” and then “Device restrictions”.
• Select “Create”.
• In “Basics” enter a descriptive name for the policy as well as a description for the policy so that users can track the setting.
• Select “Next”.
• Review the settings in “Configuration settings”.
• Select “Next”.
• Define Scope tags to better identify the platform users are managing and track where they are setting the policy.
• Select “Next”.
• Choose assignments to select the users or groups that will receive this policy.
• Select “Next” and then “Review and create”.
• Choose to limit access to the Microsoft Store.
• Select “Trusted app installation” and choose “Block” from the options below to prevent non-Microsoft applications from being installed on Windows 10 and 11.
  • Not configured (default): Intune doesn't change or update this setting.
  • Block: Prevents sideloading. Non-Microsoft Store apps can't be installed.
  • Allow: Allows sideloading. Non-Microsoft Store apps can be installed.

Block sideloading attacks using Group Policy

Users can also follow these steps in Group Policy to block sideloading attacks. Select in order:

• “Computer Configuration”
• “Administrative Templates”
• “Windows Components
• “App Package Deployment”
• Select and disable these two settings:
  • Allow development of Windows Store apps and installing them from an integrated development environment (IDE).
  • Allow all trusted apps to install.

Disabling these policies ensures that any malicious sideloading applications can’t be snuck into the platform. It also means that any legitimate Microsoft Store application can’t be installed, so users may need to enable and disable as needed.

Block sideloading attacks using a registry key

To block sideloading via a registry key, edit the HKEY local machine and then look for the settings under Software, Policies, Microsoft, Windows, and App. Use a DWORD value of “0” to block sideloading.

Registry Hive HKEY_LOCAL_MACHINE

Registry Path Software\Policies\Microsoft\Windows\Appx

Value Name AllowAllTrustedApps

Value Type REG_DWORD

Enabled Value 1

Disabled Value 0

Preventing sideloading attacks in Office 365

I’ve also seen reports that Office 365 third-party applications have been used to obtain more rights in the network or steal information from a network. I strongly recommend reviewing the policy setting for “Manage user consent to apps in Microsoft 365” and set up an admin approval flow so that any user who either requests access to an application or inadvertently allows third-party application access has to go through an administrative user approval process.

In the Admin Center, select in order:

• “Settings”
• “Org settings”
• “Services page”
• “User consent to apps”
• “Turn user consent on or off”

Users may wish delegate rights to approve such requests to certain users. While the approval can come from a global administrator, it might not be feasible in a larger network. The approvals can also go to a cloud application administrator or application administrator.

To set up approval rights, follow these steps:

• Sign into the Azure portal as a global administrator.
• Select “All services” at the top of the left navigation menu.
• In the Azure Active Directory Extension filter search box, type "Azure Active Directory".
• Select the Azure Active Directory item.
• From the navigation menu, Select “Enterprise applications”.
• Under “Manage”, select “User settings”.
• Under “Admin consent requests”, set “Users can request admin consent to apps they are unable to consent” to “Yes”.

Select the users to review admin consent requests for this workflow from a set of users that have the global administrator, cloud application administrator, or application administrator roles. Users must designate at least one reviewer before the workflow can be turned on. These users must have at least an application administrator role before the role can take effect; merely selecting usernames will not elevate them to the proper right.

Selected users will receive email notifications for requests. They'll want to enable or disable email notifications to the reviewers when a request is made. Selected users will receive request expiration reminders. Enable or disable reminder email notifications to the reviewers when a request is about to expire. 

Finally, set the number days after which a consent request expires. The user in the administrative review role should be trained to react to these approval processes in a reasonable time frame.

Attackers know that users often install applications. Ensure that network settings protect the network from such entry processes. Then “patch" humans and train them to be more aware of these attack techniques.