Well-known cybersecurity expert Kevin Beaumont, who worked at Microsoft as a threat analyst (from June 2020 to April 2021), criticized the company for not tackling the abuse of OneDrive and Office 365. The fact is that Microsoft services are constantly used for hosting malware. Typically, OneDrive accounts are used for this, which may have been created specifically for this purpose or stolen from legitimate users. It is also common to see malware hosted on corporate Office 365 accounts that have previously been compromised.
It all started with a fresh report by an information security expert known as TheAnalyst, in which the abuse of Microsoft services was given a separate place. He wrote that, for example, the BazarLoader malware operators place their malware in Microsoft OneDrive and wondered: “Is Microsoft in any way responsible for this if they INTENTIONALLY place hundreds of files for more than three days leading to this [BazarLoader infection ]? “.
Let me remind you that BazarLoader is infected through spam messages. Attackers try to trick recipients of such messages into opening a trojanized link. In this case, it was an ISO file containing a malicious DLL with a misleading label called “Documents”. The launch of such malware usually ends with a Conti ransomware attack.
In a report on TheAnalyst’s legitimate claims on Twitter, Beaumont responded as follows:
“It’s funny, in MS we created a system to alert Google Drive about BazarLoader to block such links, which is why it happened so quickly (literally in a matter of minutes). Now they [the attackers] have moved into the Microsoft infrastructure that has this system, but they cannot force Office to delete the files.
Microsoft documentation specifically recommends allowing some of the domains in question to prevent security solutions from validating content. Try to protect your business in such a situation. “
Beaumont also adds :
“Microsoft has no right to advertise itself as a leader in security, employing 8,000 security personnel and handling trillions of signals if they fail to prevent direct exploitation of its own platform Office365 to run Conti ransomware, and OneDrive has been abused for years.”
It is worth saying that the site URLhaus, supported by the Swiss project abuse.ch at the Institute of Cybersecurity and Engineering at the University of Bern, maintains statistics that confirm the words of experts. For example, according to the latest data, Microsoft shows the worst response time to malware among the top 10 sites hosting the most malicious URLs. It usually takes more than 29 days to remove Microsoft malware.
Google also suffers from malware and removes it slowly, on average in 14 days, but it’s still twice as fast as Microsoft.
Microsoft representatives have already paid attention to the criticism of specialists and made the following comment regarding the current situation:
“Cloud storage abuse is an industry-wide problem and we are continually working to reduce the abuse of Microsoft services. We are exploring further potential improvements to prevent and respond quickly to the various types of abuse listed in this report. ”
The company also notes that it always advises customers to exercise caution when following links to pages, opening or accepting unknown files.
Catch up on more stories here
Follow us on Facebook here