T1553.005: Mark-of-the-Web Bypass
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.[1] Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.[2][3][4]
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.[2][3]
Analyst context for executives and security teams
Mark-of-the-Web bypass matters because it can turn a normal Windows trust warning into a weak control point. If users receive archive or disk image files from the Internet, Windows may mark the outer container as Internet-originated, while files inside may run as if they are local and trusted. For leaders, the issue is not just malware delivery; it is whether endpoint, email, web, and execution-control programs can prove they still enforce trust decisions after files are extracted or mounted.
Executive priority
Prioritize this as a Windows defense-impairment risk where business processes depend on user-downloaded files, Office documents, archives, or disk images. Ask whether the organization can show evidence that MOTW-related protections, SmartScreen/Protected View behavior, and application control still work when content arrives inside containers. This is also useful audit evidence: controls should not only exist on paper, they should be validated against common file-handling paths that can strip or fail to propagate trust metadata.
Technical view
This is a Windows sub-technique under Subvert Trust Controls. ATT&CK describes abuse of formats such as compressed/archive files and disk images, including .arj, .gzip, .iso, and .vhd, where the container may have a Zone.Identifier alternate data stream but extracted or mounted contents may not inherit it. SOC and detection engineering teams should validate DET0257-style coverage for suspicious execution from container or disk-image contexts, compare MOTW presence on downloaded containers versus child files, and investigate process starts from mounted images or recently extracted Internet-sourced archives. ATT&CK provides no official detection text, so local validation is required.
Likely telemetry
- Windows file metadata showing Zone.Identifier alternate data stream presence or absence on downloaded files and extracted contents
- File download, email attachment, web proxy, or endpoint file creation records for archive and disk image formats
- Archive extraction and disk image mount events where available
- Process execution telemetry for binaries, scripts, or documents launched from mounted images or recently extracted directories
- Windows Defender SmartScreen and Office Protected View related events where collected
Detection direction
- Validate whether detection logic links Internet-sourced container files to subsequent extracted or mounted child-file execution.
- Tune for execution from disk image mounts and recently extracted archive locations, while accounting for legitimate software distribution workflows that use ISO, VHD, or archive files.
- Compare MOTW state across parent container and child files; a suspicious pattern is an Internet-marked container followed by child content without expected MOTW protections.
- Use the related DET0257 detection strategy as the ATT&CK-linked detection reference, but do not assume coverage without testing against local telemetry.
- Review blind spots in environments that do not collect ADS metadata, mount events, archive extraction context, or user file-origin data.
Mitigation priorities
- Use execution prevention controls, aligned to M1038, to restrict unauthorized or untrusted code from running even when MOTW is absent or not inherited.
- Reduce attack surface, aligned to M1042, by disabling or removing unnecessary software, features, or file handlers that enable risky container handling where business need is low.
- Harden policy for handling Internet-delivered archives and disk images, especially where users routinely open attachments or downloads.
- Validate Office Protected View, SmartScreen, application control, and script-blocking behavior against container-based delivery paths, not only direct file downloads.
Analyst notes and limits
ATT&CK relationships show use of this technique by APT29, APT38, TA505, QakBot, and Amadey, which makes it relevant across both state-linked and financially motivated contexts in ATT&CK. Treat those relationships as threat-informed prioritization signals, not as evidence of current activity in any specific environment.
The supplied ATT&CK object has no official detection text and is limited to Windows. The take is based on the official description, external references, and listed relationships only. Actual exposure and detection quality depend on local file-handling workflows, endpoint telemetry, application control policy, and whether MOTW/ADS evidence is collected.
Mark-of-the-Web Bypass
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.[1] Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file is not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.[2][3][4]
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.[2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1553 | Subvert Trust Controls | This object subtechnique of Subvert Trust Controls. |
Groups, software, and campaigns
G0092: TA505
G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
S1025: Amadey
S0650: QakBot
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | b76eea2b7cf0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Zone.Identifier 2020
Microsoft. (2020, August 31). Zone.Identifier Stream Name. Retrieved February 22, 2021.
Open source URL -
[2]
Beek Use of VHD Dec 2020
Beek, C. (2020, December 3). Investigating the Use of VHD Files By Cybercriminals. Retrieved November 17, 2024.
Open source URL -
[3]
Outflank MotW 2020
Hegt, S. (2020, March 30). Mark-of-the-Web from a red team’s perspective. Retrieved February 22, 2021.
Open source URL -
[4]
Intezer Russian APT Dec 2020
Kennedy, J. (2020, December 9). A Zebra in Gopher's Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy. Retrieved February 22, 2021.
Open source URL -
[5]
mitre-attack T1553.005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.