Mark of the Web

The Mark of the Web (MoTW) is an identifier used by Microsoft Windows to mark files downloaded from the Internet as potentially unsafe. It is implemented as an NTFS Zone.Identifier alternate data stream (ADS) containing an identifier element which indicates (with the "Mark") that a file saved on a computer could contain harmful or malicious content because it was downloaded from an external source ("the Web").

The Mark of the Web can also be added as an HTML comment inserted by a web browser when downloading an HTML document from the Internet, noting the URL the document was saved from.

Effects
Because it is a feature of NTFS, the Mark of the Web only affects files opened on computers running the Microsoft Windows operating system. Windows warns a user running a Web-marked executable file that it had been downloaded from the Internet and could be harmful; the user can opt either to continue or cancel execution. Unless overridden by user action the mark prevents macros from running in Microsoft Office files. Visual Studio projects created with Web-marked files cannot be built or executed.

Some archiving software propagates the MoTW from the archive itself to files extracted from it, preventing its security protection being bypassed by malware distributed within an archive.

Bypasses
There have been Windows vulnerabilities, some of which have been corrected by a patch, that allow the Mark of the Web to be bypassed by malicious actors. CVE-2022-41091 was added to the National Vulnerability Database on November 8, 2022, and refers to the now patched ability of a malicious actor to avoid files downloaded from the Internet being Web-marked. Other vulnerabilities (CVE-2022-44698, patched in December 2022; CVE-2023-36584, patched in October 2023) allowed malicious actors to bypass the restrictions of the mark without removing it.

An attacker may also use social engineering to convince a target user to unblock the file by right-clicking it and changing the file properties.