Office 365 Users Hit By ‘Widespread’ Ransomware Attack


But Microsoft insists that only a small number of Office 365 were targetted and the attack was blocked within hours

Microsoft’s Office 365 platform is being subjected to a “massive attack” by a nasty piece of ransomware dubbed Cerber.

The warning, from security specialists Avanan comes after Office 365 celebrated its fifth birthday this week. That milestone prompted security experts to warn of the growing risks associated with the popular cloud service.

Microsoft meanwhile said this particular ransomware attack was not “specific to Office 365” and the attack had been “blocked within hours.”

Ransomware Attack

Office 365 SecurityAvanan’s Steven Toole blogged about the Cerber zero-day ransomware virus attack against Office 365 corporate users, and said that millions are likely to have been impacted.

“Starting June 22 at 6:44 a.m. UTC, Avanan’s Cloud Security Platform started to detect a massive attack against its customers that were using Office 365,” Toole said.

“The attack included a very nasty ransomware virus called Cerber, which was spread through email and encrypted users’ files. Once encrypted, Cerber demanded a ransom be paid in order to regain access to the user’s documents, photos and files.”

The virus even played an audio file warning that the computer’s files have been locked.

“While difficult to precisely measure how many users got infected, Avanan estimates that roughly 57 percent of organisations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack,” added Toole.

“This attack seems to be a variation of a virus originally detected on network mail servers back in early March of this year. As it respawned into a second life, this time Cerber was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account.

Microsoft Office 365 OutlookIt seems that the Cerber ransomware, like other ransomware, spreads via phishing emails. Once infected, a victim’s files become encrypted using the unbreakable AES-265 and RSA encryption method. The ransomware demands a ransom 1.24 bitcoins or $500 (£372) to get their files back.

“Many users of cloud email programs believe they ‘outsourced’ everything to Microsoft or Google, including security,” said Gil Friedrich, CEO of Avanan. “The reality is that hackers first make sure their malware bypasses major cloud email providers’ security measures, and so most new malware goes through cloud email programs undetected.

“We are continuing to see a significant increase in the complexity of malware targeting business networks, and this attack is an excellent example,” said Nathan Shuchami, head of threat prevention, Check Point. “By utilising several exploit kits, it was able to bypass traditional sandboxes. It also speaks to the effort hackers are putting into creating new zero-day attacks and the challenges businesses face in securing their networks against cybercriminals.”

Microsoft Protection

The growing threat against cloud services such as Office 365 has not gone unnoticed by Microsoft. The company has previously reacted quickly to threats, as and when it detects them.

Indeed, Microsoft responded to TechweekEurope and insisted that this particular attack was not specific to Office 365 and confirmed it had moved quickly to halt the attack “within hours”.

“Office 365 malware protection identified the attack and was updated to block it within hours of its origination on June 22,” a Microsoft spokesperson told TechweekEurope. “Our investigations have found that this attack is not specific to Office 365 and only a small percentage of Office 365 customers were targeted.”

Earlier this month Redmond said it would boost the security of enterprise deployments of Office 365 with Advanced Security Management, a suite of tools that offers admins threat detection, policy making tools and insights into how the software is being used.

This, Microsoft said, would help protect corporate environments and help IT departments maximise their resources by seeing what how Office 365 is being used and which applications are interacting with it.

Are you a security pro? Try our quiz!