Attackers know how to manage and monitor our systems better than we do. They will analyze how best to gain entrance to our networks. Attackers have found yet another way to deploy malware into our networks: a process called sideloading. Sideloading is the installation of an app onto a device from a trusted source such as the Microsoft Store. Attackers can exploit the process by convincing users they are installing a trustworthy app that actually carries a malicious payload.Sophos recently blogged about an attack that attempted to trick Sophos staff with a targeted email and then used sideloading to install a custom application hosted on the Microsoft Store (now removed). The application would have installed malware and ransomware into a network. We\u2019ve also seen attackers use Office 365 third-party applications to gain access to a network and steal key information. So, what options do you have to block and defend yourself from sideloading attacks?Teach users to spot risksFirst, end user education is a key way to keep your network secure. An appropriately paranoid end user will often stop, think, and not click on something and send the offending email to your help desk to review. I also recommend that you perform phishing simulations to see if your users are phishing aware.Block sideloading attacks using IntuneYou can block sideloading using Group Policy, registry settings, or Intune settings. In Intune you can set a Windows 10 Device restriction policy with these steps:Create the profile in Microsoft Endpoint Manager Administrative Center.Select in order \u201cDevices\u201d, \u201cConfiguration profiles\u201d and \u201cCreate profile\u201d.In \u201cPlatform\u201d, choose \u201cWindows 10 and later\u201d.In the \u201cProfile\u201d section, select \u201cDevice restrictions\u201d or select \u201cTemplates\u201d and then \u201cDevice restrictions\u201d.Select \u201cCreate\u201d.In \u201cBasics\u201d enter a descriptive name for the policy as well as a description for the policy so that you can track the setting.Select \u201cNext\u201d.Review the settings in \u201cConfiguration settings\u201d.Select \u201cNext\u201d.Define Scope tags to better identify the platform you are managing and track where you are setting the policy.Select \u201cNext\u201d.Choose assignments to select the users or groups that will receive this policy.Select \u201cNext\u201d and then \u201cReview and create\u201d.Choose to limit access to the Microsoft Store.Select \u201cTrusted app installation\u201d and choose \u201cBlock\u201d from the options below to prevent non-Microsoft applications from being installed on Windows 10 and 11.Not configured (default): Intune doesn't change or update this setting.Block: Prevents sideloading. Non-Microsoft Store apps can't be installed.Allow: Allows sideloading. Non-Microsoft Store apps can be installed.Block sideloading attacks using Group PolicyYou can also follow these steps in Group Policy to block sideloading attacks. Select in order:\u201cComputer Configuration\u201d\u201cAdministrative Templates\u201d\u201cWindows Components\u201cApp Package Deployment\u201dSelect and disable these two settings:Allow development of Windows Store apps and installing them from an integrated development environment (IDE).Allow all trusted apps to install. Susan BradleyDisable "Allow all trusted apps to install"Disabling these policies ensures that any malicious sideloading applications can\u2019t be snuck into the platform. It also means that any legitimate Microsoft Store application can\u2019t be installed, so you may need to enable and disable as needed.Block sideloading attacks using a registry keyTo block sideloading via a registry key, edit the HKEY local machine and then look for the settings under Software, Policies, Microsoft, Windows, and App. Use a DWORD value of \u201c0\u201d to block sideloading.Registry Hive\u00a0\u00a0\u00a0\u00a0 HKEY_LOCAL_MACHINERegistry Path\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SoftwarePoliciesMicrosoftWindowsAppxValue Name\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AllowAllTrustedAppsValue Type\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 REG_DWORDEnabled Value\u00a0\u00a0 1Disabled Value\u00a0 0Preventing sideloading attacks in Office 365I\u2019ve also seen reports that Office 365 third-party applications have been used to obtain more rights in the network or steal information from a network. I strongly recommend reviewing the policy setting for \u201cManage user consent to apps in Microsoft 365\u201d and set up an admin approval flow so that any user who either requests access to an application or inadvertently allows third-party application access has to go through an administrative user approval process.In the Admin Center, select in order:\u201cSettings\u201d\u201cOrg settings\u201d\u201cServices page\u201d\u201cUser consent to apps\u201d\u201cTurn user consent on or off\u201dYou may wish delegate rights to approve such requests to certain users. While the approval can come from a global administrator, it might not be feasible in a larger network. The approvals can also go to a cloud application administrator or application administrator.To set up approval rights, follow these steps:Sign into the Azure portal as a global administrator.Select \u201cAll services\u201d at the top of the left navigation menu.In the Azure Active Directory Extension filter search box, type "Azure Active Directory".Select the Azure Active Directory item.From the navigation menu, Select \u201cEnterprise applications\u201d.Under \u201cManage\u201d, select \u201cUser settings\u201d.Under \u201cAdmin consent requests\u201d, set \u201cUsers can request admin consent to apps they are unable to consent\u201d to \u201cYes\u201d.Select the users to review admin consent requests for this workflow from a set of users that have the global administrator, cloud application administrator, or application administrator roles. You must designate at least one reviewer before the workflow can be turned on. These users must have at least an application administrator role before the role can take effect; merely selecting usernames will not elevate them to the proper right.Selected users will receive email notifications for requests. You\u2019ll want to enable or disable email notifications to the reviewers when a request is made. Selected users will receive request expiration reminders. Enable or disable reminder email notifications to the reviewers when a request is about to expire. Finally, set the number days after which a consent request expires. The user in the administrative review role should be trained to react to these approval processes in a reasonable time frame.Attackers know that users often install applications. Ensure that your network settings protect your network from such entry processes. Then \u201cpatch" your humans and train them to be more aware of these attack techniques.