Avanan’s Security Analysts have recently discovered a threat bypassing Microsoft 365 security, the attack uses .slk files to avoid detection.
The attack groups send emails containing .slk file as an attachment with macro (MSI exec script) to download and install the trojan. Although this attack is limited to Microsoft 365, bypassing both of its default security (EOP) and advanced security (ATP), it does put around 200 million-plus users in jeopardy.
By far Gmail users are safe from this threat as Google blocks .slk files and does not allow to be sent as an attachment.
The attack
“Symbolic Link” (SLK) file is an older human-readable text-based spreadsheet format last updated in 1986. Back when XLS files were private, .slk were open-format alternative for XLS but then XLSX was introduced in 2007 and there was no longer the need of .slk. Now, to the user, these .slk files look similar to an Excellent document and let the attacker move through Microsoft 365 security.
This latest discovery by Avanan’s Security Analysts reveals that these files when installed run a command on the Windows machine. It drives Windows Installer to install any MSI package quietly. This particular attack installs a hacked version of the off-the-shelf NetSupport remote control application giving the attacker full control of the desktop.
Where did the mails come from?
The majority of the malicious emails were sent from a disposable email address like, “randomwords1982@hotmail.com”.
These mails were sent from Hotmail and for a good reason, "While most of the well-known anonymous email sending engines deserve their poor spam and phishing reputations, Hotmail users benefit from Microsoft’s own reputation. Since the service was merged with its own Outlook application, Microsoft seems to grant them a higher level of trust than external senders", reports Informationsecuritybuzz.com.
The peculiar thing about these emails is that they are manually created and targeted personally. No two mails are alike, each one with a different subject and body especially crafted for the receiver with the subject and matter that concerns them.
How to prevent the attack?
The best method to avoid this attack is to simply configure your Office 365 to reject files with .slk extension at least till Microsoft fixes the issue.