On June 28, 2016, a number of reports on various sites carried news about what was termed a zero-day ransomware attack that targeted Office 365 users. Because of the immediate and potential catastrophic nature of the impact on users, ransomware is a current concern in the security industry and it is important to understand the nature of the threat. In this case, variants of the Cerber Ransomware infection that had been seen in the wild since March 2016 had apparently targeted Office 365. A fair amount of hyperbole and erroneous detail was presented to support the claim.
The reports originated from a post on the Avanan site on June 27 titled “Widespread attack on Office 365 corporate users with zero-day ransomware virus” and described how this seemed to be “a variation of a virus originally detected on network mail servers back in early March” before going on to explain how the Avanan Cloud Security Platform “immediately discovered the rebirth of this virus using Check Point’s Sandblast solution”. According the report, Microsoft detected the attack and started blocking the attachment at 11:34am UTC on June 23. I assume that this was done through Exchange Online Protection (EOP).
Call me a grumpy old man, but I am always suspicious of a security report that comes from a vendor and tells horror stories that only the vendor was capable of handling. I spent four years leading security strategy at HP (2003-2007) and my experience gained there tells me that FUD is a thing of beauty when you want to sell security products. In this case, the report contained some elements that just don’t make sense.
First, although I absolutely accept that macro-transmitted viruses remain a real danger to users, the example cited in the report appears to come from Word 2007. The Office 2007 desktop suite is not supported with Office 365, especially when it comes to Outlook when Outlook 2013 SP1 is the oldest supported client. I guess it’s possible that some Office 365 users continue trucking away with Word 2007 while using a newer email client. However, I have never met anyone like this.
Second, the report tells us that “Avanan estimates that roughly 57 percent of organizations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack.” In a later paragraph we learn that the figure apparently comes from the organizations who use the Avanan Cloud Security Platform. That’s hardly an earthshattering number as I imagine that Avanan does not have a huge presence in the overall Office 365 installed base (some 70 million active users and around 1.2 million tenants). Taking a number derived from a small sample and representing it as something that applies to a massive infrastructure that spans twelve datacenter regions around the world is a great example of spreading FUD.
In any case, I can report that this Office 365 tenant did not see any evidence of a ransomware attack nor have any of my customers. We must be part of the ignored 43%.
Third, the general lack of detail in the report is not helpful. We’re told that the virus was able to bypass the “Office 365 built-in security tools through a private Office 365 mail account.” What does this mean? What security tools are referenced here? What is a private Office 365 mail account (aren’t all Office 365 user accounts private?). Is the reference to Office 365 business or consumer? If business, was the account licensed with a plan that contained Office 365 Advanced Threat Protection? In short, there are too many holes in the report to take it very seriously.
I don’t want to decry the honest efforts of security vendors to create solutions to help protect Office 365 tenants. There is no doubt that ransomware is a real and viable threat and that attackers will use macro-infected documents as a vector (this Mimecast document describing macro-enabled threats is a useful read). There is no doubt that zero-day attacks happen. And there is no doubt that defence in depth is better than single-line defence and that some security vendors have interesting and innovative technology that handle these kind of threats better than others do.
However, before you rush to invest in third-party security technology, pause and first ask whether you are making full use of the capabilities that you already have through Office 365 and whether you are doing everything possible (including ongoing and persistent user education) to prepare for and be able to resist such attacks (this blog offers some interesting recommendations).
And please, ignore advice such as “Regularly backup your files in an external hard-drive” that appeared in one report about the attack. Backing up files to an external drive is fine if you use old-fashioned local storage, but Office 365 tenants should be taking advantage of OneDrive for Business and SharePoint Online sites to hold important documents where they can be protected, indexed, and available for eDiscovery if needed. In addition, the versioning capabilities used by OneDrive for Business and SharePoint Online allow you to recover if disaster should happen (here’s an example how). Encouraging users to back up files to external drives is a one-way ticket to compliance hell.
FUD is a time-honored IT industry mechanism for driving customer thoughts (the nicest description I can come up with). FUD won’t go away anytime soon. The best approach is to read, research, and make your own mind up whether a report is FUD or contains real value. In this case, I have my doubts.
You can follow Tony Redmond on Twitter: @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.