SEO poisoning malware is an attack technique in which threat actors manipulate search engine rankings to surface malicious websites above legitimate results. When a victim clicks one of these results and downloads the offered installer - commonly an MSIX package - malware is silently deployed to their endpoint, bypassing SmartScreen and browser download warnings.
Why Are Threat Actors Increasingly Using MSIX Installers to Deliver Malware?
The global shift towards remote work has made applications like AnyDesk, Zoom, and Notion high-value lures. As employees routinely search for and download collaboration tools, threat actors have followed demand - distributing malicious Microsoft Application Package (MSIX) installers disguised as legitimate software downloads via SEO-poisoned search results and malvertising.
MSIX is an attractive delivery format for one specific reason: it bypasses the security controls most organisations rely on. Microsoft itself confirmed: "Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats."
Microsoft was forced to disable the ms-appinstaller protocol handler twice in response to active exploitation. The first disablement followed CVE-2021-43890 (Windows AppX Installer Spoofing Vulnerability, rated 7.1 High under Common Vulnerabilities and Exposures (CVE) scoring, patched 14 December 2021), in which attackers crafted MSIX packages distributed via ms-appinstaller URIs that presented spoofed, trusted-looking install prompts while bypassing SmartScreen. The second disablement came in December 2023, documented in Microsoft Threat Intelligence's post "Financially motivated threat actors misusing App Installer" (Microsoft Security Blog, 28 December 2023). In that post, Microsoft attributed active ms-appinstaller abuse to at least four distinct financially motivated threat actor groups - Storm-0569, Storm-1113, Sangria Tempest (also tracked as EKTORO / Carbon Spider), and Storm-1674 - each distributing MSIX packages carrying valid code-signing certificates to make payloads appear to originate from legitimate publishers.
The FBI's Internet Crime Complaint Center (IC3) separately warned that cyber criminals were using malvertising to spread malware through search engine advertising, noting this technique specifically targets users who search for legitimate software (PSA I-120322-PSA, 21 December 2022, https://www.ic3.gov/Media/Y2022/PSA221221). The Sophos 2024 Threat Report identifies malvertising and SEO poisoning as a primary initial access technique against organisations, with MSIX and LNK-based delivery via poisoned search results specifically called out as significant vectors in the 2023 threat landscape.
The technique is classified by MITRE ATT&CK as T1608.006 (Stage Capabilities: SEO Poisoning) - a distinct technique from watering hole attacks (T1189), in which a legitimate site is compromised. In SEO poisoning the victim is diverted to an attacker-controlled or typosquatted site that has been artificially ranked; the delivery mechanism is the search result itself.
In July 2024, the Precursor Managed Detection & Response (MDR) team identified three typosquatted domains - amydlesk[.]com, notlilon[.]co, and notliion[.]com - serving malicious MSIX installers to users searching for AnyDesk and Notion. This blog post, authored by Nathan Burke, MDR Security Operations Centre (SOC) Analyst at Precursor, dissects that campaign.
How Were These Malicious MSIX Domains Discovered?
Precursor collects intelligence from a variety of sources, including network traffic analysis, threat intelligence feeds, and open-source intelligence (OSINT). Through this approach, Precursor identified reports related to the following domains:
- amydlesk[.]com
- notlilon[.]co
- notliion[.]com
These domains are examples of typosquatting - a technique (MITRE ATT&CK T1583.001) in which a threat actor registers domain names containing common misspellings or variations of legitimate domains to exploit typing errors. In this case, the domains typosquat anydesk.com and notion.com, two applications with high enterprise adoption that employees routinely search for and download directly. AnyDesk and Notion are among the software brands most frequently impersonated in MSIX malware campaigns, alongside Zoom, Microsoft Teams, 7-Zip, and Adobe products, according to reporting from multiple threat intelligence vendors including eSentire, Malwarebytes Labs, and Proofpoint.
Multiple threat intelligence vendors tracked a significant rise in malicious domains serving MSIX payloads through SEO-poisoned results during 2023 and into 2024. The Cyber Security Information Sharing Partnership (CiSP), the UK government's joint industry-government initiative for sharing cyber threat information, provides alerts for exactly this type of emerging campaign IOC. Organisations in the legal and education sectors - the sectors targeted in the incident described in this post - can use the NCSC's Early Warning Service to receive alerts on newly identified malicious domains before they reach end users.
How Does the MSIX Installer Malware Campaign Work?
Domain and Hosting Infrastructure
Using any.run to visit the identified sites, only amydlesk[.]com and notliion[.]com would accept a connection. Both URLs masquerade as anydesk.com, posing as the real site. Attempting to navigate to any other page returns a URL not found error - the exception being the help centre link, which redirects to the official AnyDesk website, adding a thin veneer of legitimacy.
The domain is hosted in the Russian Federation with the IP address 45[.]93[.]20[.]93, as confirmed on URLscan.io.
MSIX Download Delivery Chain
Clicking any download button on the site triggers a script that automatically initiates a download. Inspection of the network tab in Chrome DevTools shows a GET request sent to https[:]//amydlesk[.]com/download/dwnl[.]php, which redirects the download to https[:]//monkeybeta[.]com/build/AnyDesk-x86[.]msix.
Visiting monkeybeta[.]com/build directly returns an HTTP 403 Forbidden error, and the root domain contains no useful content - it functions solely as a hosting server for the malicious MSIX file.
Incident Response Case Study
In July 2024, the Precursor Incident Response team responded to a campaign targeting organisations in the education and legal sectors across Europe. The initial detection was made by the Precursor MDR team through a combination of threat intelligence feed matches on the typosquatted domains and Endpoint Detection and Response (EDR) alerts flagging anomalous MSIX installation activity on managed endpoints. From initial access to detection, elapsed time was measured in hours rather than days, enabled by continuous endpoint monitoring and proactive IOC matching. During the investigation, Precursor resolved indicators of compromise (IOCs) across multiple domains, IP addresses, and file hashes associated with this campaign. Remediation steps included immediate endpoint isolation of affected devices, network-level blocking of the identified domains and IP (amydlesk[.]com, notlilon[.]co, notliion[.]com, 45[.]93[.]20[.]93, monkeybeta[.]com), and credential resets for accounts on affected endpoints. The payload recovered from the MSIX package was submitted for further analysis; the malware family is consistent with infostealer tooling commonly attributed to financially motivated campaigns of this type. No client-identifying information is included. This case demonstrates that MSIX-delivered malware can reach endpoints in both professional services and education environments - sectors not traditionally considered high-priority targets for technically sophisticated delivery chains.
How Can SOC Teams Detect MSIX Installer Malware?
The following table summarises the detection layers available to SOC teams, the specific tooling in each layer, what each layer catches, and where the coverage gaps lie.
| Detection Layer | Tooling | What It Catches | Limitation | Coverage Gap |
|---|---|---|---|---|
| EDR | CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint | Anomalous MSIX installation, child processes spawned by AppInstaller.exe, unauthorised file writes, suspicious process chains | May not flag MSIX installs if the package is validly signed; alert fatigue on high-volume endpoints | Pair with Sysmon for deeper process and network visibility |
| Sysmon | Microsoft Sysinternals Sysmon (free) | Process creation (Event ID 1), network connections (Event ID 3), file creation events (Event ID 11), DNS queries (Event ID 22) - covers MSIX execution, C2 beaconing, and dropped files | Requires manual configuration and ongoing tuning; generates high log volume | Forward Sysmon logs to SIEM for correlation; pair with threat intel feed for IOC matching |
| NIDS | Suricata, Snort, commercial IDS | Suspicious domain names, known malicious IP traffic, anomalous HTTP patterns including PHP-redirect download chains | Encrypted HTTPS traffic limits deep packet inspection; misses endpoint-only activity | Pair with NGFW TLS inspection and EDR for full coverage |
| NGFW | Palo Alto Networks, Fortinet FortiGate, Check Point | Blocks connections to known malicious domains and IPs; enforces application allow-lists; TLS inspection on egress | Blocks known-bad; misses newly registered typosquatted domains not yet on threat intel feeds | Integrate threat intelligence feed subscription for IOC-based blocking |
| Threat Intelligence Feed | CiSP (UK), sector ISACs (H-ISAC, FS-ISAC), commercial TI platforms (Recorded Future, Mandiant) | IOC enrichment (domains, IPs, hashes); early warning on emerging MSIX campaigns; malware family attribution | Time lag between campaign identification and IOC publication; feeds require integration and triage | Subscribe to sector-relevant sources; automate IOC import into SIEM and NGFW |
| OSINT / URLscan.io | URLscan.io, VirusTotal, any.run | Domain infrastructure, hosting location, HTTP behaviour, MSIX download chain visibility; sandbox execution analysis | Reactive - requires analyst investigation of a specific domain; not automated detection | Use as verification layer after an initial alert; automate URLscan.io submissions via API |
EDR and Sysmon Monitoring
Endpoint Detection and Response (EDR) solutions provide the primary detection layer for MSIX installer malware. By continuously monitoring endpoint activities and scrutinising behaviour patterns, EDR can flag suspicious activities linked to MSIX files - unauthorised installations, file alterations, or unusual process executions originating from AppInstaller.exe.
Sysmon, a component of the Sysinternals suite, extends this visibility to system-level events. Configuring Sysmon to monitor four specific event IDs covers the primary artefacts generated by MSIX installer malware:
- Event ID 1 - Process Create: Catches AppInstaller.exe spawning and any child processes launched by the MSIX payload post-install, including PowerShell or cmd.exe execution.
- Event ID 3 - Network Connection: Catches C2 beaconing, download-cradle connections, and network activity initiated by the installed payload.
- Event ID 11 - FileCreate: Catches the MSIX package being written to disk, payload files dropped post-install, and persistence artefacts such as LNK files placed in Startup folders.
- Event ID 22 - DNSEvent: Catches DNS queries to C2 domains, malicious download hosts, and any domain contacted during or after MSIX execution - including typosquatted domains like those identified in this campaign.
Threat Intelligence Feed Integration
Proactively collecting and analysing threat intelligence sources strengthens detection capabilities. This involves gathering IOCs, malware signatures, and known attack patterns related to MSIX installer malware. UK organisations in the legal and education sectors - precisely the sectors targeted in the incident described in this post - should subscribe to the Cyber Security Information Sharing Partnership (CiSP), the NCSC's joint industry-government threat sharing platform. Healthcare organisations should use H-ISAC; financial services organisations FS-ISAC. These platforms distribute IOCs for exactly this class of campaign, often before the domains reach end users. Integrating feed outputs into SIEM rules and NGFW block lists closes the gap between campaign identification and network-level blocking.
Network Traffic Analysis and Blocking
Monitoring network traffic for IOCs associated with MSIX installer malware - suspicious domain names, IP addresses, and PHP-redirect download chains - aids in early detection and mitigation. Network Intrusion Detection Systems (NIDS) and next-generation firewalls (NGFWs) equipped with threat intelligence capabilities enable automatic identification and blocking of connections to known malicious domains or IP addresses. This layered approach reduces the detection gap for MSIX installer malware campaigns as delivery techniques evolve.
Recommended Actions and Detection Checklist
SOC teams and security leads who have read this analysis should act on the following before closing this tab:
- Block the identified IOCs immediately. Add the following to your NGFW deny list and SIEM watchlist: amydlesk[.]com, notlilon[.]co, notliion[.]com, 45[.]93[.]20[.]93, monkeybeta[.]com. If these domains are not yet present in your threat intelligence feed, submit them to your feed provider.
- Restrict or disable the ms-appinstaller protocol handler. Use Group Policy to disable the ms-appinstaller URI scheme on all managed Windows endpoints. Microsoft's recommended configuration is documented at https://docs.microsoft.com/en-us/windows/msix/desktop/custom-protocol-handler. This prevents the AppInstaller application from handling ms-appinstaller links, cutting off the primary delivery vector.
- Configure Sysmon Event IDs 1, 3, 11, and 22. If Sysmon is not deployed, deploy it. If it is deployed, confirm these four event IDs are enabled and forwarded to your SIEM. Alert on AppInstaller.exe spawning child processes (Event ID 1) and on DNS queries to newly registered or low-reputation domains (Event ID 22 with threat intel enrichment).
- Subscribe to a sector-relevant threat sharing platform. UK organisations should join CiSP (https://www.ncsc.gov.uk/section/keep-up-to-date/cisp) for early warning on emerging MSIX campaigns. Healthcare and financial services organisations should additionally subscribe to H-ISAC or FS-ISAC respectively.
- Run a tabletop exercise against the MSIX delivery chain. Test your IR playbook against the scenario described in this post: a user searches for a productivity application, clicks a SEO-poisoned result, and downloads and executes a malicious MSIX package. Confirm your EDR alerts fire, your NIDS or NGFW would have blocked the C2 connection, and your team can isolate the endpoint and extract IOCs within your target dwell-time threshold.
- Train users on SEO poisoning and typosquatting. Users searching for AnyDesk, Notion, Zoom, Teams, or any widely used productivity tool are the target persona for this campaign. Training should include a specific demonstration of how the top search result is not always the legitimate one, and should give users a clear reporting path when they are unsure about a download.
References
- Microsoft Threat Intelligence, "Financially motivated threat actors misusing App Installer", Microsoft Security Blog, 28 December 2023, https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/
- Microsoft Security Response Centre, "Windows AppX Installer Spoofing Vulnerability - CVE-2021-43890", MSRC, 14 December 2021, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890
- FBI Internet Crime Complaint Center (IC3), "Cyber Criminals Use Malvertising to Spread Malware Through Search Engine Advertising", PSA I-120322-PSA, 21 December 2022, https://www.ic3.gov/Media/Y2022/PSA221221
- MITRE ATT&CK, "Stage Capabilities: SEO Poisoning - T1608.006", https://attack.mitre.org/techniques/T1608/006/
- Microsoft Sysinternals, "Sysmon v15.x", Microsoft Learn, https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
- Sophos, "Sophos 2024 Threat Report: Cybercrime on Main Street", March 2024, https://news.sophos.com/en-us/2024/03/26/sophos-2024-threat-report/
- NCSC, "Cyber Security Information Sharing Partnership (CiSP)", https://www.ncsc.gov.uk/section/keep-up-to-date/cisp
Frequently Asked Questions
What is SEO poisoning malware?
SEO poisoning malware refers to attacks in which threat actors manipulate search engine rankings to place malicious websites above legitimate results for commonly searched software or services. When users click these results and download the offered file - often an MSIX installer - malware executes on their endpoint, frequently bypassing SmartScreen and browser-level download warnings. The technique is classified by MITRE ATT&CK as T1608.006.
How does MSIX installer malware work?
A malicious MSIX installer is a Microsoft Application Package file (.msix) that contains or delivers malware rather than legitimate software. In SEO poisoning campaigns, threat actors host these packages on attacker-controlled servers and direct download traffic to them via typosquatted domains. When a user executes the package, Windows App Installer processes it - and because packages can carry valid code-signing certificates, SmartScreen may not block the installation. Post-install, the payload typically drops an infostealer or remote access tool and establishes persistence.
How can SOC teams detect MSIX installer malware?
Detection requires layered controls. At the endpoint, EDR solutions and Sysmon (configured with Event IDs 1, 3, 11, and 22) provide visibility into AppInstaller.exe process creation, file writes, network connections, and DNS queries associated with MSIX execution. At the network layer, NIDS and NGFWs with threat intelligence feed integration block connections to known malicious domains and IPs. Proactive IOC matching via sector-relevant threat intelligence platforms - CiSP in the UK, H-ISAC or FS-ISAC for regulated sectors - provides the earliest warning, often before a domain reaches end users.
How can organisations prevent SEO poisoning attacks?
Preventive controls include: disabling or restricting the ms-appinstaller protocol handler via Group Policy; enforcing application allow-listing to block unapproved MSIX installations; training users to verify download sources rather than trusting the first search result; and subscribing to threat intelligence feeds that flag newly registered typosquatted domains. These controls reduce the attack surface for SEO poisoning malware delivery without impeding legitimate MSIX-packaged software.
What sectors are most at risk from MSIX malware campaigns?
While any organisation whose employees search for and download productivity software is at risk, the Precursor MDR team's July 2024 incident confirmed active targeting of the education and legal sectors in Europe. These sectors commonly use remote-access and collaboration tools - AnyDesk, Notion, Teams, Zoom - that are the most frequently impersonated lures in MSIX poisoning campaigns. Healthcare and financial services organisations are also at elevated risk given the high commercial value of their data to financially motivated threat actors.