Spin Technology announced the next generation of SpinOne, an AI-powered ransomware and backup solution for Google Workspace and Office 365. In the last year alone, 51 percent of organizations were targeted by ransomware, and cybersecurity continues to be a top concern for business leaders.
Including advanced new security features, a completely redesigned user interface, and improved platform functionality, the latest version of SpinOne will help organizations better protect against ransomware attacks in the cloud.
Over the last seven months, cloud adoption has accelerated as the number of remote workers spiked dramatically due to the COVID-19 pandemic. This increased reliance on the cloud has resulted in more ransomware attacks on public cloud and SaaS services. In fact, according to a recent report, six in ten successful attacks include data in the public cloud.
SpinOne offers industry-leading ransomware protection for G Suite and Microsoft 365, backup capabilities, and application management.
“As organizations add additional cloud services, they need solutions that are simple to deploy and manage. These updates make it even easier for IT and security professionals to protect their employees from the risks associated with ransomware, all while allowing them to scale the SpinOne platform over time,” said Dmitry Dontov, Chief Executive Officer.
“As G Suite shifts to Google Workspace, SpinOne continues to protect your organization’s data against ransomware and now includes additional summaries that explain the levels of risk and required action. In addition, we’ve enhanced our cloud monitoring capabilities and introduced advanced auditing.”
Comprehensive new security summaries
- From the dashboard view, an admin can now quickly scan their Google Workspace environment, including what security incidents have occurred to their data.
- Each data feed is summarized in a widget outlining security incidents, incident history, account summary, and more.
- Google Workspace has various ongoing activities operating within it, and SpinOne Cloud Monitor now provides a comprehensive overview of all actions, including Data Sharing, Application Installed, and Drive File Deleted.
- SpinOne now includes six additional cloud monitoring capabilities, detailing the admin activities within the SpinOne platform.
- The Cloud Monitor Incident Report details actions from users that exceed the rules set by Admins in their policies.
- SpinOne now expands its monitoring of OAuth access, including Android, Native, iOS.
- Historical risk scoring reviews are now expanded, and organizations can review an add-on’s risk over time.
Enhancements to backup and recovery
- Users and Groups are now separated in the new SpinOne.
APIs are now available for major third-party applications.
Microsoft 365 is used by over a billion users worldwide, so attackers are naturally deeply invested in compromising its security. One of the ways of making sure this suite of products is as secure as possible, is a bug bounty program.
During an upcoming presentation at HITB CyberWeek 2020, Ashar Javed, a security engineer at Hyundai AutoEver Europe, will share stories from his journey towards discovering 365 valid bugs in Microsoft Office 365. We took this opportunity to ask him about his work.
What are some of the most surprising findings of your bug hunting endeavor with Microsoft Office 365?
I found literally hundreds of bugs in Office 365 but my favourite are All your Power Apps Portals belong to us and Cross-tenant privacy leak in Office 365. In the earlier one, I was able to control the Power Portal sites via Insecure Direct Object Reference (IDOR) while in the later one, as an attacker you can reveal the Lync (Skype for business) status in a cross-tenant manner. An attacker could see that a particular user is online or be right back while at the same time also can reveal the custom location set by the victim.
How would you rate Microsoft Office 365 security in general?
Finding a bug in Microsoft 365 is a challenging task given Microsoft follows a Security Development Lifecycle. Furthermore, Office 365 receives a third-party vulnerability assessment every year.
Microsoft has a public bug bounty program for Office 365 open to anyone, so you could say security is built into the heart of Office 365.
What type of bugs did you find? What was the severity of the discovered issues?
I found all sorts of bugs ranging from a simple rate limiting issue to a critical SQLi in Dynamics 365. Further, I found hundreds of XSS issues in SharePoint. I also reported dozens of XSS issues in Outlook. Furthermore, I also found privilege escalation, SSRF and CSRF.
When it comes to the severity of the discovered bugs, it varies from a low severity issue to a critical one. Most of my bugs were rated high by Microsoft.
What’s your take on modern bug hunting in general? Do you work on your own or use a service for disclosure?
Bug hunting is still in early ages as a field. I would call it an amateur field where both parties (a bug hunter and a bug receiver) are learning.
Today’s hostile web environment makes it imperative for organizations to boost their security, and allowing bug hunters to inspect products is a win-win situation for both parties.
When it comes to my work, I directly report security issues to Microsoft instead of reporting via a service.
Vectra released its report on Microsoft Office 365, which highlights the use of Office 365 in enterprise cyberattacks. The report explains how cybercriminals use built-in Office 365 services in their attacks.
Attacks that target software-as-a-service (SaaS) user accounts are one of the fastest-growing and most prevalent problems for organizations, even before COVID-19 forced the vast and rapid shift to remote work.
Microsoft dominating the productivity space
With many organizations increasing their cloud software usage, Microsoft has dominated the productivity space, with more than 250 million active users each month. Office 365 is the foundation of enterprise data sharing, storage, and communication for many of those users, making it an incredibly rich treasure trove for attackers.
“Within the new work-from-home paradigm, user account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organization’s network.” said Chris Morales, head of security analytics at Vectra.
“We expect this trend to magnify in the months ahead. Attackers will continue to exploit human behaviours, social engineering, and identity theft to establish a foothold and to steal data in every type of organization.”
Cost of account takeovers
Even with the increasing adoption of security postures to protect user accounts such as multifactor authentication (MFA), 40 percent of organizations still suffer from Office 365 breaches, leading to massive financial and reputational losses.
In a recent study, Forrester Research put the cost of account takeovers at $6.5 billion to $7 billion in annual losses across multiple industries.
Highlights from the report
- 96 percent of customers sampled exhibited lateral movement behaviours
- 71 percent of customers sampled exhibited suspicious Office 365 Power Automate behaviours
- 56 percent of customers sampled exhibited suspicious Office 365 eDiscovery behaviours
The report is based on the participation of 4 million Microsoft Office 365 accounts monitored by Vectra researchers from June-August 2020.
More and more security professionals are realizing that it’s impossible to fully secure a Windows machine – with all its legacy components and millions of potentially vulnerable lines of code – from within the OS. With attacks becoming more sophisticated than ever, hypervisor-based security, from below the OS, becomes a necessity.
Unlike modern OS kernels, hypervisors are designed for a very specific task. Their code is usually very small, well-reviewed and tested, making them very hard to exploit. Because of that, the world trusts modern hypervisors to run servers, containers, and other workloads in the cloud, which sometimes run side-by-side on the same physical server with complete separation and isolation. Because of that, companies are leveraging the same trusted technology to bring hardware-enforced isolation to the endpoint.
Microsoft Defender Application Guard
Microsoft Defender Application Guard (previously known as Windows Defender Application Guard, or just WDAG), brings hypervisor-based isolation to Microsoft Edge and Microsoft Office applications.
It allows administrators to apply policies that force untrusted web sites and documents to be opened in isolated Hyper-V containers, completely separating potential malware from the host OS. Malware running in such containers won’t be able to access and exfiltrate sensitive files such as corporate documents or the users’ corporate credentials, cookies, or tokens.
With Application Guard for Edge, when a user opens a web site that was not added to the allow-list, he is automatically redirected to a new isolated instance of Edge, continuing the session there. This isolated instance of Edge provides another, much stronger, sandboxing layer to cope with web threats. If allowed by the administrator, files downloaded during that session can be accessed later from the host OS.
With Application Guard for Office, when a user opens an unknown document, maybe downloaded from the internet or opened as an email attachment, the document is automatically opened in an isolated instance of Office.
Until now, such documents would be opened in “protected view”, a special mode that eliminates the threat from scripts and macros by disabling embedded code execution. Unfortunately, this mode sometimes breaks legit files, such as spreadsheets that contain harmless macros. It also prevents users from editing documents.
Many users blindly disable the “protected view” mode to enable editing, thereby allowing malware to execute on the device. With Application Guard for Office, users don’t compromise security (the malware is trapped inside the isolated container) nor productivity )the document is fully functional and editable inside the container).
In both cases, the container is spawned instantly, with minimal CPU, memory, and disk footprints. Unlike traditional virtual machines, IT administrators don’t need to manage the underlying OS inside the container. Instead, it’s built out of existing Windows system binaries that remain patched as long as the host OS is up to date. Microsoft has also introduced new virtual GPU capabilities, allowing software running inside the container to be hardware-GPU accelerated. With all these optimizations, Edge and Office running inside the container feel fast and responsive, almost as if they were running without an additional virtualization layer.
The missing compatibility
While Application Guard works well with Edge and Office, it doesn’t support other applications. Edge will always be the browser running inside the container. That means, for example, no Google accounts synchronization, something that many users probably want.
What about downloaded applications? Applications are not allowed to run inside the container. (The container hardening contains some WDAC policies that allow only specific apps to execute.) That means that users can execute those potentially malicious applications on the host OS only.
Administrators who don’t allow unknown apps on the host OS might reduce users’ productivity and increase frustration. This is probably more prominent today, with so many people working from home and using a new wave of modern collaboration tools and video conferencing applications.
Users who are invited to external meetings sometimes need to download and run a client that may be blocked by the organization on the host OS. Unfortunately, it’s not possible to run the client inside the container either, and the users need to look for other solutions.
And what about non-Office documents? Though Office documents are protected, non-Office documents aren’t. Users sometimes use various other applications to create and edit documents, such as Adobe Acrobat and Photoshop, Autodesk AutoCAD, and many others. Application Guard won’t help to protect the host OS from such documents that are received over email or downloaded from the internet.
Even with Office alone, there might be problems. Many organizations use Office add-ons to customize and streamline the end-user experience. These add-ons may integrate with other local or online applications to provide additional functionality. As Application Guard runs a vanilla Office without any customizations, these add-ons won’t be able to run inside the container.
The missing manageability
Configuring Application Guard is not easy. First, while Application Guard for Edge technically works on both Windows Pro and Windows Enterprise, only on Windows Enterprise is it possible to configure it to kick-in automatically for untrusted websites. For non-technical users, that makes Application Guard almost useless in the eyes of their IT administrators, as those users have to launch it manually every time they consider a website to be untrusted. That’s a lot of room for human error. Even if all the devices are running Windows Enterprise, it’s not a walk in the park for administrators.
For the networking isolation configuration, administrators have to provide a manual list of comma-separated IPs and domain names. It’s not possible to integrate with your already fully configured web-proxy. It’s also not possible to integrate with category-based filtering systems that you might also have. Aside from the additional system to manage, there is no convenient UI or advanced capabilities (such as automatic filtering based on categories) to use. To make it work with Chrome or Firefox, administrators also need to perform additional configurations, such as delivering browser extensions.
This is not a turnkey solution for administrators and it requires messing with multiple configurations and GPOs until it works.
In addition, other management capabilities are very limited. For example, while admins can define whether clipboard operations (copy+paste) are allowed between the host and the container, it’s not possible to allow these operations only one way and not the other. It’s also not possible to allow certain content types such as text and images, while blocking others, such as binary files.
OS customizations and additional software bundlings such as Edge extensions and Office add-ins are not available either.
While Office files are opened automatically in Application Guard, other file types aren’t. Administrators that would like to use Edge as a secure and isolated PDF viewer, for example, can’t configure that.
The missing security
As stated before, Application Guard doesn’t protect against malicious files that were mistakenly categorized to be safe by the user. The user might securely download a malicious file on his isolated Edge but then choose to execute it on the host OS. He might also mistakenly categorize an untrusted document as a corporate one, to have it opened on the host OS. Malware could easily infect the host due to user errors.
Another potential threat comes from the networking side. While malware getting into the container is isolated in some aspects such as memory (it can’t inject itself into processes running on the host) and filesystem (it can’t replace files on the host with infected copies), it’s not fully isolated on the networking side.
Application Guard containers leverage the Windows Internet Connection Sharing (ICS) feature, to fully share networking with the host. That means that malware running inside the container might be able to attack some sensitive corporate resources that are accessible by the host (e.g., databases and data centers) by exploiting network vulnerabilities.
While Application Guard tries to isolate web and document threats, it doesn’t provide isolation in other areas. As mentioned before, Application Guard can’t isolate non-Microsoft applications that the organization chooses to use but not trust. Video conferencing applications, for example, have been exploited in the past and usually don’t require access to corporate data – it’s much safer to execute these in an isolated container.
External device handling is another risky area. Think of CVE-2016-0133, which allowed attackers to execute malicious code in the Windows kernel simply by plugging a USB thumb drive into the victim’s laptop. Isolating unknown USB devices can stop such attacks.
The missing holistic solution
Wouldn’t it be great if users could easily open any risky document in an isolated environment, e.g., through a context menu? Or if administrators could configure any risky website, document, or application to be automatically transferred and opened in an isolated environment? And maybe also to have corporate websites to be automatically opened back on the host OS, to avoid mixing sensitive information and corporate credentials with non-corporate work?
How about automatically attaching risky USB devices to the container, e.g., personal thumb drives, to reduce chances of infecting the host OS? And what if all that could be easy for administrators to deploy and manage, as a turn-key solution in the cloud?
Phishers are impersonating companies’ IT support team and sending fake VPN configuration change notifications in the hopes that remote employees may be tricked into providing their Office 365 login credentials.
Yet another Office 365 phishing campaign
“The sender email address is spoofed to impersonate the domain of the targets’ respective organizations. The link provided in the email allegedly directs to a new VPN configuration for home access. Though the link appears to be related to the target’s company, the hyperlink actually directs to an Office 365 credential phishing website,” Abnormal Security explained.
The phishers are betting on the high possibility that the recipients are working from home and need to use VPN for work-related tasks. They hope the targets will be concerned about the possibility of losing access to company resources and that that concern will override their good sense and anti-phishing training.
The original email headers show that the email has not been sent from the recipients’ organization, but the sender email has been spoofed to say it has.
The phishing Office 365 login page is hosted on a Microsoft .NET platform, with a valid Microsoft certificate, which might be enough to fool some targets.
“Numerous versions of this attack have been seen across different clients, from different sender emails and originating from different IP addresses. However, the same payload link was employed by all of these attacks, implying that these were sent by a single attacker that controls the phishing website,” the researchers noted.
“Should the recipient fall victim to this attack, the user’s credentials would be compromised. Information available with the user’s Microsoft credentials via single-sign on are at risk as well.”
Phishers are trying to bypass the multi-factor authentication (MFA) protection on users’ Office 365 accounts by tricking them into granting permissions to a rogue application.
The app allows attackers to access and modify the contents of the victim’s account, but also to retain that access indefinitely, Cofense researchers warn.
The attack starts with an invitation email that directs potential victims to a file hosted on Microsoft SharePoint (a web-based collaborative platform that integrates with Microsoft Office).
The name of the document implies that the email recipient will get a bonus on their salary for Q1 2019.
Users who follow the link will land on a legitimate Microsoft Office 365 login page, but only those careful enough to check the URL might see something out of the ordinary – and only if they know what to look for:
The long URL holds a number of parameters that, “translated”, show that by entering the login credentials and pressing the login button, the user will “ask” the Microsoft Identity Platform for an ID token and an authorization code, which will be sent to domain masquerading as a legitimate Office 365 entity (hxxps://officehnoc[.]com/office).
It also shows that the app for which the request is made will gain permission to access the victim’s account, read and modify its contents (documents, files) and use associated resources, access and use the victim’s contacts, and prolong that access indefinitely.
How? The aforementioned authorization code is exchanged for an access token that is presented by the rogue application to Microsoft Graph, which will authorize its access.
How can attackers bypass MFA protection on Office 365?
“Applications that want to access Office 356 data on behalf of a user do so through Microsoft Graph authorizations. However, they must first obtain an access token from the Microsoft Identity Platform,” Cofense researchers explained.
“This is where OAuth2 and OIDC come in. The latter is used to authenticate the user who will be granting the access, and if authentication is successful, the former authorizes (delegates) access for the application. All of this is done without exposing any credentials to the application.”
So the attacker doesn’t have to know the victim’s login credentials and this tactic allows them to gain access to the victim’s account without having to use the credentials or the MFA code.
The access token the rogue app receives and uses will expire after a while, but the app has also been granted the permission to obtain refresh tokens, which can be exchanged for new access tokens, meaning that the app will able to retain access potentially indefinitely.
After signing in, the user will be asked to confirm that he or she wants to grant the application all those permissions. Ideally, that’s the moment most users will balk and refuse but, unfortunately, many don’t understand the danger of giving random apps access to their account.
“The OAuth2 phish is a relevant example of adversary adaptation. Not only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data,” the researchers noted.
“If users fail to act, it will be up to domain administrators to spot and deal with any suspicious applications their users might have misguidedly approved.”
Once the rogue app’s access is revoked, victims must change their O365 account password and check whether the attackers have switched off MFA protection or modified some of its settings/options.
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to patch a slew of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals.
“Foreign cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available,” the agency noted.
“A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective. A concerted patching campaign would also bolster network security by focusing scarce defensive resources on the observed activities of foreign adversaries.”
The most often exploited CVE-numbered vulnerabilities
The list of the ten most often exploited flaws between 2016 and 2019 includes seven affecting Microsoft offerings (Office, Windows, SharePoint, .NET Framework), one affecting Apache Struts, one Adobe Flash Player, and one Drupal.
They are as follows:
IT security professionals are advised to use this list alongside a similar one recently compiled by Recorded Future, which focuses on the ten most exploited vulnerabilities by cybercriminals in 2019.
In addition to all these flaws, CISA points to several others that have been under heavy exploitation in 2020:
Additional warnings and help
CISA has also warned organizations to check for oversights in their Microsoft O365 security configurations (and to implement these recommendations and to start fixing organizational cybersecurity weaknesses they might have.
“March 2020 brought an abrupt shift to work-from-home that necessitated, for many organizations, rapid deployment of cloud collaboration services, such as Microsoft Office 365. Malicious cyber actors are targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations and vulnerable to attack,” they noted.
Organizations can apply for CISA’s help in scanning internet-facing systems and web applications for vulnerabilities and misconfigurations – the agency offers free scanning and testing services (more info in the alert).
To help organisations secure and protect their important business data, Proact, Europe’s leading independent data centre and cloud services provider, has launched BaaS-O365 – a new backup and recovery service for customers using Microsoft Office 365.
BaaS-O365 is a new managed service from Proact that provides complete backup and recovery for Office 365 Business/Enterprise data, including Exchange Online, SharePoint Online and OneDrive for Business. It´s a tried-and-tested, standardised version of an already-successful service.
Office 365 is used by over a million organisations worldwide, with adoption set to increase, especially with the rise in remote working. With Proact’s managed Office 365 service, customers can ensure that critical business data stored within Office 365 is backed up in a compliant manner, to one of Proact’s ISO 27001-certified data centres.
Backups are automated, monitored and managed round-the-clock, all but eliminating any risks from human error, and leaving enterprise IT teams free to concentrate on more value-driven tasks.
In the case of a service disruption or accidental deletion, customers can restore individual items, such as emails, OneDrive files and folders, or objects taken from any previous backup. BaaS-O365 also retains file versions, ensuring even changes made during a given day are available for restore.
“The Office 365 application will of course already provide built-in data protection. However, this may not be enough to meet the needs of all organisations, their customers and specific regulation such as GDPR.
“An administrator would be required to set the correct retention policies, so it’s susceptible to human error. Also backing up externally would be better practice, to ensure that all your data is not held with one provider”, says Per Sedihn, CTO and Acting VP, Portfolio & Technology at Proact IT Group AB.
Phishers are trying to trick investment brokers into sharing their Microsoft Office or SharePoint login credentials by impersonating FINRA, a non-governmental organization that regulates member brokerage firms and exchange markets.
Phishers target investment brokers with malicious emails
The “widespread, ongoing phishing campaign” takes the form of emails purportedly sent by FINRA VPs Bill Wollman and Josh Drobnyk from @broker-finra.org email addresses.
They can contain an attached document or a malicious link, though occasionally they are just are simply a way to elicit a response and gain the recipient’s trust before sending an email with an infected attachment or link or a request for confidential firm information.
The organization has requested that the Internet domain registrar suspend services for the broker-finra.org domain, but attackers can easily register another convincing one, so securities firms and brokers are advised to always be on the lookout for suspicious emails and to verify their legitimacy before responding to them or interacting with them.
Phishers are using fake Microsoft Teams notification emails to trick users into sharing their Microsoft Teams and Office 365 login credentials.
“Should the recipient fall victim to this attack, this user’s credentials would be compromised. Additionally, since Microsoft Teams is linked to Microsoft Office 365, the attacker may have access to other information available with the user’s Microsoft credentials via single-sign on,” Abnormal Security warns.
The email phishing campaigns
The company has spotted two slightly different campaigns, both consisting of fake Microsoft Teams notification emails:
“Given the current situation, people have become accustomed to notifications and invitations from collaboration software providers. Because of this, recipients might not look further to investigate the message,” they noted.
The imagery in the emails is copied from actual Microsoft Teams notifications and emails, and the phishing pages to which the emails direct potential victims look identical to the legitimate Microsoft Office 365 and Microsoft Teams login pages.
Those lucky enough to notice that the pages’ URLs have nothing to do with Microsoft Teams or Office might think twice about providing their login credentials.
A massive user base makes for a great target
In March 2020, Microsoft Teams had hit 44 million daily users. In April 2020, during the company’s earnings conference call, Microsoft CEO Satya Nadella said that the number has surpassed 75 million, fueled by companies’ need to keep in (video) touch with their employees who are working from home due to the COVID-19 pandemic.
Just as criminals go where the money is, phishers go where the majority of users are – and a user base of 75+ million active users is a very big pond for them to go phishing in.
In a move calculated to make a dent in the data protection landscape, leading data management solutions vendor, Parablu, announced the launch of their SaaS backup solution – BluVault for Microsoft Office 365.
Parablu’s BluVault for Office 365 enables secure cloud backup and recovery and lets enterprises create a redundant copy of their SaaS data assets. This solution is designed to provide additional options in protecting enterprise data in Microsoft Office 365 by making secondary copies to an Azure cloud target with complete security and privacy.
This scalable solution helps organizations stay compliant with data regulations like GDPR, SOX, HIPAA, and others, while also providing a solid defense against ransomware and insider threats.
“The offering is designed as a SaaS service, that will backup Microsoft Office 365 data and will take advantage of Parablu’s tight integration with Azure Blob Storage and tiering.
“BluVault leverages Parablu’s BluKrypt technology, stores all data in a secure container that is created within securely in Azure Blob Storage, and guarantees zero-knowledge privacy by using strong encryption with a strict segregation of duties,” said Anand Prahlad, CEO, Parablu Solutions.
BluVault for Office 365 is designed to protect data such as Exchange Online, SharePoint Online and OneDrive for Business, by making a safe copy of these assets outside the Office 365 cloud. The backups are automatic, scheduled, incremental in nature, and require no on-premise infrastructure.
“As cloud and mobility have become prevalent over the last several years, data that was traditionally on-premise has now moved into SaaS cloud platforms,” said Mike Ammerlaan, Director, Microsoft 365 Ecosystem at Microsoft Corp. “ISVs like Parablu provide added options and extend value to Microsoft Azure and Office 365 with their BluVault solution.”
Parablu already supplies mission critical solutions to industry leading organizations, in the form of BluVault, their secure endpoint backup solution. With this newly launched offering, Parablu is extending their highly acclaimed backup capabilities to Microsoft Office 365.
A week after the April 2020 Patch Tuesday, Microsoft has released out-of-band security updates for its Office suite, to fix a handful of vulnerabilities that attackers could exploit to achieve remote code execution.
At the same time, a security update has also been released for Paint 3D, the company’s free app for creating 3D models, because the source of the fixed vulnerabilities is something that both Office and Paint 3D have in common: the Autodesk FBX library.
About the vulnerabilities
Autodesk – the company behind the popular AutoCAD software but also a variety of other specialized apps used by architects, engineers, digital media creators, manufacturers, etc. – fixed six vulnerabilities (CVE-2020-7080 through CVE-2020-7085) in its FBX Software Developer Kit (SDK).
All can be triggered if a user is tricked into opening a specially crafted, malicious FBX file, and can either create a DoS condition or make the application run arbitrary code on the underlying system.
Since the Autodesk FBX library is integrated into MS Office apps and the Paint 3D app, them processing specially crafted 3D content may lead to remote code execution.
“An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft explained.
What to do?
To exploit the vulnerabilities, an attacker must send a specially crafted file containing 3D content to a user and convince them to open it. (Just viewing it through the Preview Pane is not enough to trigger the exploitation.)
The fact that exploitation requires user interaction makes the vulnerabilities important but not critical. Nevertheless, tricking users into opening random files is, unfortunately, something that attackers know how to do well.
There are no mitigating factors or workarounds for the flaws, so users and admins are urged to implement the provided updates, especially if they often deal with FBX files.
After recently directly notifying a number of hospitals about vulnerable gateway and VPN appliances in their infrastructure, Microsoft has decided to offer its AccountGuard threat notification service for free for healthcare and worldwide human rights and humanitarian organizations.
“AccountGuard is available to organizations using Office 365 for business email and extends additional security to the personal accounts of their front line workers who use Microsoft’s consumer email services such as Outlook.com and Hotmail,” Tom Burt, Microsoft’s Corporate VP on Customer Security & Trust, explained.
“Both AccountGuard for Healthcare and AccountGuard for Human Rights Organizations will initially be available to organizations in the 29 countries where we already offer AccountGuard, subject to review of local laws and regulations, and we will be adding new countries based on need and local law.”
Microsoft AccountGuard and the new offer for healthcare
Launched in 2018 and previously available to only to political campaigns, parties, members of the U.S. Congress and democracy-focused non-profits, the Account Guard service warns the owners of enrolled accounts about ongoing attacks by nation-state hackers.
“Healthcare organizations can sign up here, and human rights and humanitarian organizations can sign up here,” Burt noted. AccountGuard for Healthcare will be available until the COVID-19 pandemic subsides.
The threat notification service is now available for free to: hospitals and care facilities, clinics, labs, and clinicians that provide frontline care to patients; pharmaceutical, life sciences, and medical devices companies that research, develop, and manufacture COVID-related treatments drugs; non-governmental organizations (NGOs), and international non-governmental organizations (INGOs) involved in the response to the COVID-19 pandemic; select individuals (with Outlook.com and Hotmail.com personal emails) invited to participate by an eligible organization.
Participation in AccountGuard for Human Rights Organizations is offered by invitation only.
“Leading human rights and humanitarian organizations including Amnesty International, CyberPeace Institute, Freedom House, Human Rights Watch and Physicians for Human Rights have already registered for our AccountGuard threat notification service through an initial pilot,” Burt added.
Most attacks start with phishing emails
“An attacker will often disguise malicious content as a message from a health authority or medical equipment provider. These emails sent to work or home inboxes seek to obtain the person’s credentials and often contain documents or links that will infect a computer and spread the infection through a network, enabling attackers to control it,” he explained.
Attackers targeting healthcare organizations are after COVID-19-related intelligence and/or are looking to disrupt the provision of desperately needed care or supplies. Those probing human rights or humanitarian organizations are after intelligence on these organizations and the people who these groups protect, or want to disrupt their work.
Many novice Office 365 (O365) shops do not know where platform-specific security vulnerabilities lie, or even that they exist. The threats that you are unaware exist do not cause pain until they rise up and bite – then the agony is fierce.
Companies get themselves into trouble when they do not fully understand the way data moves through O365 or they apply on-premise security practices to their cloud strategy. While the O365 platform comes with some security features and configuration options – that all customers should take advantage of – native or built-on tools do not address many vulnerabilities or other security issues.
Below you will find four common areas that enterprises neglect when they adopt O365.
1. Impossible to implement zero trust with native tools
Enterprises are increasingly relying on zero trust cybersecurity strategies to mitigate risk and prevent data breaches. With the zero trust model, an organization only allows access between IT entities that have to communicate with each other. IT and security teams secure every communication channel and remove generic access to prevent malicious parties from eavesdropping or obtaining critical data or personally identifiable information (PII).
One problem with using a zero trust strategy is that implementing it in Azure Active Directory (Azure AD) is highly complicated. For instance, IT and security teams can label an employee an “Application Administrator,” which gives them and anyone else with that label the ability to perform/change 71 different attributes. The problem with these cookie-cutter roles is that organizations do not know precisely what all of the corresponding admin-controlled attributes mean nor do they know what functionally they are granted.
2. Difficult to manage privileged permissions
Under the O365 centralized admin model, all administrators have global credentials, which means they have access to/can see each and every user. Not only is this deeply inefficient, it also creates huge security problems. Did you know that 80% of SaaS breaches involve privileged permissions? And that admins have the most privileges of all? In O365, user identity must be treated as the security perimeter.
The native O365 admin center focuses on providing global admin rights, giving admins who tend to work locally too much power and privileges they do not need. This centralized management model of setting privileges with O365 entirely relies on granting “global admin rights” – including regional, local, or business unit administrators.
The native O365 Admin Center does not enable you to easily set up rights based on business unit or country, or for remote or satellite offices. In addition, you cannot easily limit an admin’s rights granularly, so they can only perform limited and specific functions, such as changing passwords when requested.
So, how do you mitigate the risk related to O365’s operator rights? Some IT veterans may answer with role-based access control (RBAC) as it allows organizations to partition permissions based on job roles, resulting in far fewer, truly trusted global administrators. These global admins are augmented by a set of local, or business unit focused admins with no global access, all leading to far better protection for your O365 environment.
3. Difficult to set up log and audit functions
O365 collects millions of bits of information on even the smallest implementation. Unfortunately, from a security standpoint, these data points do not exist for long and far too few are ever used for protection or forensics. Microsoft historically offers logs for only the last 30 days (though that is being increased to a year soon, but only for high-end E5 licenses), but businesses must ask themselves:
- Why do they need to collect data logs?
- How do logs impact regulatory compliance?
- What happens if the logs aren’t saved or otherwise mined and audited?
- What business value do these logs offer?
When used strategically, logs provide valuable forensics that not only help detect a breach, but also identify cybercriminals that may still reside on the network. Before businesses can even think about leveraging audits, IT and security teams have to turn on logging and implement a process to save log data far longer than Microsoft’s standard 30 days. It’s also important to know that even when logging is set up, event tracking is not an O365 default setting so businesses must turn that on.
Real-time monitoring and alerts for security compliance issues is the engine that drives much of the data that forms the logs. Smart IT shops now enable real-time monitoring and alerts for potential security compliance issues in their O365 environment.
4. The “right to be forgotten” challenge
Compliance is a big security and economic issue. There are almost daily incidents of fines occurring due to GDPR and other privacy regulations like CCPA. There is a lot involved in being compliant with GDPR, foremost among its statutes is the right to be forgotten. This statute states that individuals have the right to ask organizations to delete their personal data. However, as many businesses have learned, it is difficult to fulfill this requirement if the IT or security team cannot locate personal information or know how it was used.
Organizations must be able to track and audit individual user accounts to make sure that they not only comply with this request but have processes in place to differentiate between users with similar (or even identical) usernames, even if one of them exercises their right to be forgotten.
At their core, each of these challenges is centered around a general lack of visibility into the O365 infrastructure. Microsoft’s SaaS platform introduces a number of important business benefits and capabilities but requires enterprises to take proactive measures to account for their data and how it is accessed and shared externally. Organizations need to fulfill their end of the shared responsibility model to maintain a solid organizational security posture.
Email security miss rates are definitely a huge issue. Malicious files regularly bypass all of today’s leading email security products, leaving enterprises vulnerable to email-based attacks including ransomware, phishing and data breaches, according to BitDam.
BitDam conducted an empirical study to measure leading email security products’ ability to detect unknown threats at first encounter. Unknown threats are produced in the wild, sometimes hundreds in a day.
The study employs the retrieval of fresh samples of malicious files from various feeds and sources, qualifying them as unknown threats, and sending them to mailboxes protected by leading email security products. The miss rate at first encounter was then measured, as well as the Time To Detect (TTD).
According to the study’s findings, for Office ATP, the miss rate over seven weeks in late 2019 was about 23% and the TTD average was about 48 hours. About 20% of missed unknown threats took four or more days to be detected. Office 365 ATP was ‘blind’ to selected unknown threats it did not detect at first encounter. For G Suite, the miss rate was 35.5% over four weeks in late 2019. The TTD average was about 26 hours with about 10% of missed unknown threats taking three days or more to be detected.
These massive detection gaps provide proof of how enterprises are often unprotected against unknown threats, which leads to successful email-based attacks such as ransomware, phishing, and malware.
“Mind the gap! is as relevant to CISOs as it is to riders on the London Underground. The time gap between malware delivery and subsequent detection by the industry’s most widely used endpoint protection suites solutions is shockingly long – in practice long enough to be useless. The study pinpoints this unacceptable gap in detection time, showing that organizations are exposed to cyberthreats for many hours, or even days, before their email security identifies these as malware,” said Simon Crosby, CTO, SWIM.AI.
Most threat detection technologies fail to provide protection against unknown threats. Due to their dependency on previous knowledge about threats, these technologies must be augmented by advanced solutions in order to provide better email security.
“We feel that even though the email threat landscape is constantly evolving, it is BitDam’s responsibility to do all that it can to identify the weakest security points that exist today and offer a solution for the everyday unknowns,” said Liron Barak, CEO of BitDam.
“It was this thought process that was behind our study to find the most common shortcomings of email security products on the market today, so we could respond with meaningful industry knowledge and of course, provide a solution. The detection miss rate levels were higher and more alarming than we had anticipated. Our study is a call to action for solution providers to do more, and for enterprises to enrich their arsenal with solutions like BitDam’s to detect the malware that slip through their current email security,” Barak concluded.
One of phishers’ preferred methods for fooling both targets and email filters is to use legitimate services to host phishing pages. The latest example of this involves Office 365 users being directed to phishing and malicious pages hosted on Office Sway, a web application for content creation that’s part of Microsoft Office.
The email that tries to trick recipients into visiting the phishing page isn’t stopped by Microsoft’s filters, likely because:
- It was sent from an onmicrosoft.com email address
- Includes links in the email that point to sway.office.com and other trusted sites (e.g., LinkedIn).
It pretends to be a fax receipt notice, shows a small image of the supposedly received fax, and asks the user to open the attachment to view it.
The phishing Office Sway page
Those who fall for the scheme are directed to a landing page hosted on Sway, which instructs them to click on another link that will either download a malicious file or lead them to a spoofed Office 365 login page:
“The Sway page will include trusted brand names. Most commonly, the spoofed brands are Microsoft-affiliated, just like the SharePoint logo shown in the example above,” Avanan explained.
And if the recipient is logged into an Office account, Sway pages appear wrapped in Office 365 styling with accompanying menus, making the page even more convincing.
“Attackers can turn Microsoft Sway into most any site they like, causing both Outlook and even the most savvy recipients to trust sway.com links,” the company pointed out, and noted that because the attackers are using multiple senders and domains, blacklisting them won’t work.
“Instead, we’ve seen many clients blacklist sway.office.com in their web filters. Unless your organization actively uses Sway, you should consider blocking Sway links,” they advised.