If you haven’t noticed malicious emails abusing Microsoft Library Description files (.library-ms), watch out and block them.
From Microsoft “Library description files are XML files that define libraries. Libraries aggregate items from local and remote storage locations into a single view in Windows Explorer.”
Threat actors, in an effort to evade detection, use them as a way of connecting their target to a remote share directly via File Explorer.
https://learn.microsoft.com/en-us/windows/win32/shell/library-schema-entry
#ThreatIntel
Fellows /
npub1x6…0qtcd
2025-02-18 15:20:54
Author Public Key
npub1x6rdj7gu3magc9j29a042njygsjx9hg3husmk45sjf9n7rhx85fqs0qtcdPublished at
2025-02-18 15:20:54Event JSON
{
"id": "2c71166b6ff21b6656341afabbcfd3a16ef8aa71257a8db42fe5da577430b1ee",
"pubkey": "3686d9791c8efa8c164a2f5f554e44442462dd11bf21bb5690924b3f0ee63d12",
"created_at": 1739892054,
"kind": 1,
"tags": [
[
"t",
"threatintel"
],
[
"proxy",
"https://cyberplace.social/@fellows/114025565654008703",
"web"
],
[
"proxy",
"https://cyberplace.social/users/fellows/statuses/114025565654008703",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://cyberplace.social/users/fellows/statuses/114025565654008703",
"pink.momostr"
],
[
"-"
]
],
"content": "If you haven’t noticed malicious emails abusing Microsoft Library Description files (.library-ms), watch out and block them. \n\nFrom Microsoft “Library description files are XML files that define libraries. Libraries aggregate items from local and remote storage locations into a single view in Windows Explorer.”\n\nThreat actors, in an effort to evade detection, use them as a way of connecting their target to a remote share directly via File Explorer. \n\nhttps://learn.microsoft.com/en-us/windows/win32/shell/library-schema-entry\n\n#ThreatIntel",
"sig": "3184b56c6e2c43291be23115d4c055319e3d0414b2fd527da6bed98e802eb0a8da5904e9c64c385d0e1f8fd75fb29e92d80146cce15a690471d071e1e5964854"
}