CVE-2022-41091

What is Mark of the Web (MOTW)?

Mark of the Web (MOTW) is a Windows security mechanism that tags files downloaded from the internet with a Zone.Identifier Alternate Data Stream, marking them as potentially untrusted. When a user opens a file with an MOTW tag, Windows triggers additional protections: SmartScreen reputation checks, Office Protected View for documents, and warnings before executing scripts or executables. Bypassing MOTW eliminates these warnings and allows threat actors to deliver payloads that execute without any security prompts — a critical force multiplier in malware delivery chains.

Overview

CVE-2022-41091 is a MOTW security feature bypass vulnerability in Windows. An attacker can craft a specially structured archive that causes Windows to fail to propagate the MOTW Zone.Identifier tag from the outer container to files extracted from it. Files extracted from the crafted archive execute without SmartScreen warnings or Office Protected View, as Windows treats them as locally-originated safe files. CISA added this to KEV the same day as the November 2022 Patch Tuesday, reflecting active exploitation in the wild. See also CVE-2022-41049 for a related MOTW bypass patched on the same day.

Affected Versions

Technical Details

The bypass exploits how Windows shell functions handle MOTW propagation when extracting files from certain archive formats. When a downloaded archive has a Zone.Identifier marking it as internet-sourced, Windows is supposed to inherit that tag to extracted contents. A malformed or specially crafted archive can cause Windows to skip this inheritance, leaving extracted files without any MOTW tag.

• Delivery mechanism: Attacker distributes the crafted archive via email, web download, or other channels
• Bypass effect: Extracted files have no Zone.Identifier ADS — Windows, SmartScreen, and Office treat them as locally created
• User interaction required: Victim must download and extract the archive
• Ransomware use: Confirmed — Magniber ransomware operators used ZIP-based MOTW bypasses extensively in 2022 to deliver ransomware payloads without SmartScreen prompts; QBot/Qakbot and other initial access brokers also incorporated MOTW bypass techniques in phishing campaigns

Discovery

Reported to Microsoft through coordinated disclosure. The practical exploitation was observed in the wild in ransomware delivery campaigns prior to the November 2022 patch.

Exploitation Context

CISA's same-day KEV addition (before the CVE was formally published) signals CISA had advance notice of active exploitation. Magniber ransomware — a ransomware family primarily targeting South Korean users but observed globally — used MOTW bypass techniques via crafted ZIP archives to deliver ransomware payloads that executed without triggering Windows Defender SmartScreen warnings. QBot/Qakbot campaigns also adopted MOTW bypass techniques during this period to improve email payload delivery success rates. The practical CVSS score of 5.4 dramatically understates the real-world impact: MOTW bypasses remove the last-line user-facing warning before malware execution.

Remediation

1. Apply the November 2022 Patch Tuesday cumulative update for Windows
2. Ensure both CVE-2022-41091 and CVE-2022-41049 are patched (same update cycle)
3. Enable Microsoft Defender SmartScreen and cloud-delivered protection
4. Configure email gateways to block or quarantine password-protected ZIP archives, which are commonly used to bypass antivirus scanning in MOTW bypass campaigns
5. Consider Windows Defender Application Control (WDAC) policies requiring code signing regardless of MOTW status