Few days ago, during intel sources monitoring operation, the Cybaze-Yoroi ZLAB team encountered an interesting Office document containing some peculiarities required a deeper analysis: its payload includes techniques suitable to bypass modern Microsoft security mechanisms such as AppLocker, the application whitelisting security feature in place in well-configured Windows OSes, and the newer Anti-Malware Scan Interface (AMSI), a vendor agnostic security interface enabling anti-virus controls on running scripts, macro code and even memory blocks, designed to tackle obfuscation and file-less threats.

https://blog.yoroi.company/research/the-document-that-eluded-applocker-and-amsi/