As Microsoft Exchange users move to Office 365, so do cyber-criminals

Lewis Henderson discusses the migration to Office 365 and how companies are holding off migrating due to risks highlighted in recent news

Lewis Henderson, director, client engagement, Glasswall Solutions
Lewis Henderson, director, client engagement, Glasswall Solutions

It was inevitable, wasn't it? The compelling business drivers of lower, more manageable costs for global email access and a workforce that is ‘always on', Microsoft's cloud-based email platform, Office 365, has driven organisations to push more and more of their email  to the cloud – all the while under the impression it is secured by one of the world's largest IT companies.  While the typical employee will be using Office 365 for email, sending attachments, file sharing and working on Office documents, certain groups are utilising the very same cloud platform to drive their nefarious campaigns. Inevitable.

After the Office 365 migration, the CISO has relinquished control over a part of the company's lifeblood, its security and one of its main business communication platforms; email.

Rather shockingly, the recently discovered strain of Cerber ransomware, which directly targets Office 365 users, isn't the only weapon being used by cyber-criminals to exploit cloud-based solutions. This year alone has seen hackers release cute Ransomware and Petya, two new strains of ransomware developed specifically to target Google Drive and Dropbox, respectively. The reason for the sudden uptake in ransomware being developed for cloud-based software is simple; as more organisations embrace the cloud, targeting these platforms becomes a focus for cyber-criminals.

It has previously been publicly reported that up to 57 percent of Office 365 users have been targeted by a phishing attempt that included an infected attachment. While the total number of attacks is unclear, the number is likely substantial considering there were approximately 18.2 million Office 365 subscribers at the end of 2016's first fiscal quarter. It's important to note this isn't simply a case of scatter gun attacks – many large enterprises have been hit with highly targeted and sophisticated ransomware attacks, directly.

As the frequency of ransomware attacks targeting Office 365 and other cloud-based platforms increases, the attack process is also changing. Cyber-criminals are increasingly using ‘droppers' in new and innovative ways to bypass traditional perimeter security measures, including Office 365's seemingly robust proprietary antivirus measures. The dropper can be embedded into the structure of a document, hidden from the view of many traditional security technologies, and can typically be hard-coded into business files such as PDF, Word or Excel.

Once the malicious file containing the ‘dropper' is sent to the target as an attachment, it is accessed by the user and activates – downloading the latest version of the ransomware to the user's machine through an encrypted session – again, hidden from traditional security technologies. As soon as the ransomware has control of the user's machine, it makes attempts to spread to the entire business, and seize control of the data stored on its systems.

The response by companies who have been infected with this ransomware is often to pay the person demanding the ransom, as they are too PR conscious to seek an alternative solution and feel they have no other choice, no one needs a negative headline.

This new and constantly evolving type of ransomware is particularly difficult for companies to defend against. Not only is the Office 365 security not as effective compared to normal malware, but Microsoft's response has largely been to deny how common these attacks have become. Cyber-criminals have so far been successful in staying one step ahead, constantly refining and innovating their ransomware and changing the source to ensure it stays ahead of signature and reputation based security products and services.

In order to protect against these growing ransomware attacks, organisations moving to the cloud must ensure that either they or their cloud solutions provider have the proper security infrastructure in place, before the business is migrated.

Organisations that have moved, or are planning a move, to Office 365, need to be prepared to provision their own private cloud with a cyber-security strategy that will allow the adoption of innovative technologies.  Infrastructures the size of Office 365 rarely allow for swift change, or adoption of technologies or services that have a greater impact the sooner they are deployed.

Focussing on Ransomware in particular, and deploying cloud security, staying one step ahead of innovative hackers is to choose a solution not based on traditional perimeter security solutions, but one that ensures only the known good gets through. This can be achieved through breaking file attachments down to byte-level and rebuilding versions with only elements that are known to be safe, and effectively engineering out any potential for bad exploits such as Ransomware ‘droppers'.

With IT departments feeling increasing pressure to reduce costs by migrating to the cloud, it's crucial that they don't fall into the trap of being the next victim of a sophisticated ransomware attack, and not assume their email service provider has it covered.

Contributed by Lewis Henderson, director, client engagement, Glasswall Solutions