Microsoft Misses and Hosts Weaponized File-Sharing Attacks

Microsoft – The Threat Actor’s Playground. A Blog Series.

This post is an ongoing series of blogs on different types of people-centric email attacks slipping past Microsoft’s detection. These attacks cost organizations millions of dollars every year in losses and cause frustration for information security teams and users alike due to outdated detection technologies and the inherent limitations of Microsoft email security. 

In this series, you can expect to learn more about Microsoft missing several different types of attacks, which we’ll explore in-depth and provide recent examples of:

• Microsoft Missed Business Email Compromise (BEC) Attacks
• Microsoft Misses Ransomware Attacks
• Microsoft Misses Supplier Attacks
• Microsoft Misses Account Compromise Attacks

Subscribe to our blog at the bottom of this post to stay updated on these misses that may be impacting your organization. Also, use our rapid risk assessment to better understand your organization’s risks.

Weaponized file sharing missed by Microsoft

Weaponized file-sharing attacks are one of the most common tactics in URL attacks. Our own internal threat data, where we see 49 billion URLs a day, shows file-sharing URLs are used in over half of URL-based attacks. Because users inherently trust and use these services, like Microsoft OneDrive and Microsoft SharePoint, they’ve become quite common targets for attackers. 

Microsoft is in the unique position of not only hosting malicious files, but also allowing them to pass through their email security solution. In 2021 we found that over 45 million threats were sent to Proofpoint customers with malicious content hosted by Microsoft, as shown below.

Figure 1. Microsoft hosts most of the malicious URLs sent to our customers; since January 2021, Microsoft 365 has sent or hosted over 45 million threats targeting Proofpoint customers.

These attacks that compromise accounts can cost organizations significant amounts of money. For example, according to “The 2021 Ponemon Cost of Phishing Study,” phishing threats cost a large, 10,000-seat organization millions annually in prevention, remediation and user downtime costs. With the knowledge that over half of URL threats originate from malicious content on file-sharing sites, this is an expensive problem to fix.

Figure 2. Overview of phishing-related costs for a 10,000-seat organization. (Source: Ponemon Institute’s “2021 Cost of Phishing Study.”) 

In a month’s time frame and a limited data set of rapid risk assessments, Proofpoint detected more than 13,000 URL threats from file sharing, and other legitimate websites that slipped past Microsoft’s email security perimeter defenses. But it’s not just threats that their email security solution misses—it’s also threat actors abusing their services and infrastructure to launch attacks, many of which can remain available for days and weeks after being reported. In this way, Microsoft acts as both the fire department and the arsonist in many instances. 

Allow Proofpoint to be the smoke detector and protect against these fires coming your way. Proofpoint detected over 3.8 million message threats sent using Microsoft mail servers and about 370,000 threats hosted by services like Office 365 OneDrive, SharePoint and Azure in just one month’s time span. 

Outlined below are samples of file-sharing attack types both missed and hosted by Microsoft during recent Proofpoint rapid risk assessments.

Credential theft hosted and missed by Microsoft:

In research for our “Human Factor Report,” Proofpoint found that attackers increased their use of CAPTCHA by 50x year-over-year. In the attack, both hosted by Microsoft and missed in a Proof of Concept (POC), an attacker used OneDrive and CAPTCHA to attempt to trick users of a shared mailbox to provide their credentials and access a request document.

Here’s one example of an attack missed by Microsoft:

• Environment: Microsoft 365
• Threat Category: File-Sharing URL-Based
• Attack Type: Credential Theft
• Target: Shared Mailbox Work Request

Figure 3. Users are taken to a OneNote page, with a link to a fake Word document. When they click on the link, they’re presented with a CAPTCHA; after checking the box, they’re taken to a fake Microsoft page in an attempt at credential theft.

The anatomy of the attack:

The attacker masqueraded as a third-party vendor with a work request sending to a telecom organization’s shared mailbox, attempting to steal credentials. In our risk assessment with this customer, we protected them from the attack after the threat slipped through Microsoft’s email security.

This credential theft attack not only bypassed native Microsoft email security controls, but more than a month after we condemned the attack, the OneDrive page is still live and actively hosting a malicious credential theft attack impersonating Microsoft’s brand. This is one of millions of abused file-sharing pages that Microsoft hosts malicious content on every month.

Branded credential theft on legitimate file-sharing site missed by Microsoft:

Office 365 credential theft is a common lure that attackers use to attempt to compromise users’ accounts. These attacks are extremely dangerous, as the attacker assumes the corporate identity of their victim, which can cause untold damage and theft of data or financials. 

Figure 4. Microsoft Misses credential theft imitating their brand, hosted on a legitimate file-sharing site. 

Here’s one example of an attack missed by Microsoft:

• Environment: Microsoft 365
• Threat Category: File-Sharing URL-Based
• Attack Type: Credential Phishing

The anatomy of the attack:

These themes of attacks (email/IT issues) are quite common, and the attacker abused a legitimate website, SendGrid, to host this credential theft attack. The attacker sent it from a spoofed Microsoft domain (onmicrosoft.com), making it appear legitimate—and even used a greeting that included Microsoft Corporation as the signee on behalf of the organization.

In this attack, Microsoft’s reputation analysis fails to detect abuse of legitimate cloud services. This is because Microsoft’s Safe Links lacks a predictive sandboxing on-click and relies on reputation, which is incapable of detecting never-before-seen threats originating on file-sharing services. Despite the obvious brand impersonation and keywords, Microsoft failed to detect this fake email quarantine lure. 

Proofpoint’s click-time URL sandboxing used machine learning (ML) classifiers to identify the malicious credential theft and blocked this attack from being activated during our email rapid risk assessment.

Credential theft hosted and missed by Microsoft:

Why is default security not enough? Attackers are getting very crafty, as demonstrated by this next attack. The bad actor in this case abused not one, but two file-sharing sites, nesting a Microsoft phishing attack under the guise of a legitimate but compromise account. This attack was condemned and blocked by Proofpoint, and was missed not only by Microsoft, but also by an API email security solution specifically marketed at detecting these types of threats

Here are the details about this missed attack:

• Environment: Microsoft 365
• Threat Category: File-Sharing URL-Based
• Attack Type: Credential Phishing
• Target: Loan Officer

Figure 5. Attackers using two file-sharing services to evade Microsoft security.

The anatomy of the attack:

The attacker, using a compromised account of a local real estate agent, sent a loan officer a forwarded message containing files, likely in regard to a closing/transaction. Microsoft OneDrive file-sharing hosted a link to another file-sharing site, Evernote. If a user clicks on the link in the Evernote document, they are taken to a fake OneDrive login page, where attackers can steal their Microsoft login credentials.

As of today, more than a month after this attack was spotted and condemned by Proofpoint, all pages with links to malicious content are still currently live. As mentioned previously, Microsoft and an API email security solution missed this threat. This is a perfect demonstration of how attackers will nest and hide their attacks, evading default security solutions and API email security applications. These types of URL threats are increasingly common.

How Proofpoint stops file-sharing attacks

Figure 6. AI and ML are less effective without a large corpus of data powering the models. The Proofpoint Nexus Threat Graph includes threat protection insights from 75+ of the F100, 60%+ of the F1000 and 200,000+ SMB organizations, in addition to a growing information and cloud threat protection presence.

Proofpoint provides an end-to-end, integrated advanced threat protection solution with multiple layers of protection to detect file-sharing attacks. We use a detection ensemble with more than 26 layers for email threat protection to detect advanced techniques like nested attacks, CAPTCHA, or password-protected files and URLs by attackers attempting to evade security. 

Our ML and artificial intelligence (AI) models for detection are fed by 2.6 billion daily emails, 1.9 billion attachments and over 49 billion URLs. Also, our growing information protection solution includes threat insights on more than 28.2 million active cloud accounts, giving us details about how attackers are attempting to weaponize cloud applications like file-sharing accounts.

Figure 7. The detection ensemble from Proofpoint has more than 26 layers, including advanced detection stacks for URLs including file-sharing, attachment and BEC defense as well as our behavioral engine to improve detection of all threats.

In the above examples from this post, it is important to note that Proofpoint would have detected and blocked these messages.  

Recommendations to stop account compromise attacks

Proofpoint takes a layered approach to stopping file-sharing attacks with the Proofpoint Threat Protection Platform alongside our Information Protection Platform, providing more layers to protect organizations. Some of these layers in our Threat Protection Platform include our leading detection, isolation, authentication, education and automated remediation capabilities. 

There is no silver bullet to stop these threats, which is why a layered, integrated threat protection solution is necessary. To learn more about how Proofpoint can stop these threats and more in your environment with our Threat Protection Platform, take a free Email Rapid Risk Assessment.