Search This Blog

Showing posts with label Microsoft Office 365. Show all posts

Hackers abusing .slk files to attack Microsoft 365 users


Avanan’s Security Analysts have recently discovered a threat bypassing Microsoft 365 security, the attack uses .slk files to avoid detection.


The attack groups send emails containing .slk file as an attachment with macro (MSI exec script) to download and install the trojan. Although this attack is limited to Microsoft 365, bypassing both of its default security (EOP) and advanced security (ATP), it does put around 200 million-plus users in jeopardy.

 By far Gmail users are safe from this threat as Google blocks .slk files and does not allow to be sent as an attachment.

The attack

“Symbolic Link” (SLK) file is an older human-readable text-based spreadsheet format last updated in 1986. Back when XLS files were private, .slk were open-format alternative for XLS but then XLSX was introduced in 2007 and there was no longer the need of .slk. Now, to the user, these .slk files look similar to an Excellent document and let the attacker move through Microsoft 365 security.

This latest discovery by Avanan’s Security Analysts reveals that these files when installed run a command on the Windows machine. It drives Windows Installer to install any MSI package quietly. This particular attack installs a hacked version of the off-the-shelf NetSupport remote control application giving the attacker full control of the desktop.

Where did the mails come from? 

The majority of the malicious emails were sent from a disposable email address like, “randomwords1982@hotmail.com”.

These mails were sent from Hotmail and for a good reason, "While most of the well-known anonymous email sending engines deserve their poor spam and phishing reputations, Hotmail users benefit from Microsoft’s own reputation. Since the service was merged with its own Outlook application, Microsoft seems to grant them a higher level of trust than external senders", reports Informationsecuritybuzz.com.

 The peculiar thing about these emails is that they are manually created and targeted personally. No two mails are alike, each one with a different subject and body especially crafted for the receiver with the subject and matter that concerns them.

How to prevent the attack?

The best method to avoid this attack is to simply configure your Office 365 to reject files with .slk extension at least till Microsoft fixes the issue.

Phishing Attacks: Via Scraping Branded Microsoft Login Pages!


Phishing Attacks: Via Scraping Branded Microsoft Login Pages!



The latest phishing attack attacks using the targets’ company-branded Microsoft 365 tenant login pages just to make it look more believable.

Microsoft’s Azure Blob Storage and the Azure Web Sites cloud storage solutions are also under usage for finding solutions to host their phishing landing pages.

This helps the users think that they’re seeing a legitimate Microsoft page. This aids the cyber-con to target Microsoft users and get their services credentials.

This phishing campaign is mostly about scraping organizations’ branded Microsoft 365 tenant login pages just to fool the targets.

The above observations were made as a part of s research of the Rapid7’s Managed Detection and Response (MDR) service team, say sources.

The cyber-criminals actually go through the list of validated email addresses before they plan on redirecting the victims to the phony login pages.

They put up actual looking logos of the brands that they want to copy and that’s what helps them to scrape the tenant login page.

In case the target organization doesn’t have a custom branded tenant page, the phishing kit is designed to make use of the default office 365 background.

The same campaign’s been launched at various different companies and organizations including in financial, insurance, telecom, energy and medical sectors.


There are several points at hand that hint at the phishing campaign still being active. In fact someone may be updating it for that matter at different times.

The “phisher” behind the campaign could easily be exploiting the “Lithuanian infrastructure”.

Besides the using the phony Microsoft phony page and stealing credentials the campaign also is up for exploiting cloud storage services.

For landing page hostings also, the campaign works perfectly. Phishing kits were discovered in April this year.

IPFs gateways were also abused by phishing attempts by using TLS certificates issued by Cloudflare, last year in October.

Per sources, the following advises and measures should be taken at once by organizations using the Microsoft office 365:
·       Multi-factor authentication via Office 365 or a third party solution for all employees.
·       Enrolling staff in phishing awareness training programs.
·       Training to help the employees spot and report phishing attacks.