As businesses increasingly rely on Office 365 files, sightings of their “evil twin” are on the rise.
It was nearly a week late, but Tom finally received the pricing proposal he’d requested from Tetome Supply.
While he was eager to start reviewing it, he knew from his company’s quarterly cybersecurity courses to proceed with caution. He looked closely at the sender’s name and email address and checked to ensure the attachment was a Word doc as promised, and not some shady looking .exe file. The text of the email, which thanked him for his patience and asked about his new puppy, further reassured him.
As Tom sipped his morning coffee and scanned the day’s headlines on his phone, a message appeared on his monitor informing him that, since the .doc was created in iOS, he needed to enable editing and content. Doing so did allow him to see the contents of the document — but it also set off a chain reaction.
As far as Tom knew, the document contained only the pricing info. There was nothing to indicate that a Powershell command had gone to work downloading Emotet from a compromised website — or that Emotet had called for backup in the form of another malware known as Trickbot.
By the time there were visible signs of compromise, it was already far too late: When Tom opened his laptop several days later, a note appeared informing him that all his files had been encrypted, and that the perpetrators wouldn’t unlock them until his company delivered $150,000 in bitcoin.
It was signed “Ryuk.”
Unfortunately, this sort of scenario isn’t uncommon — and based on data from the mid-year update to the 2020 SonicWall Cyber Threat Report, it’s only getting worse.
For the first half of 2019, malicious PDFs showed an edge over malicious Office 365 files, outpacing them 36,488 to 25,461. While the number of PDFs dipped 8% over the same period last year, the number of malicious Microsoft Office files skyrocketed to 70,184 — a 176% increase. It’s worth noting that the percentage of malicious Office files identified has now surpassed the number of malicious .exe files. This is likely because people have learned not to open strange or unsolicited .exe files, but most still think of Word docs, Excel files and other Office 365 files as completely benign.
While new threats identified over the past six months is up significantly, there are some bright spots: Despite making up a full third of all new malicious files identified by SonicWall Capture ATP during the first half of the year, the number of malicious PDF and Office files began trending slightly downward in the second quarter.
No one should be breathing a sigh of relief yet, however. Just six days into the second half of 2020, SonicWall Capture Labs threat researchers began observing advances in the way malicious Excel files distribute malware — including new techniques to evade signature-based anti-malware engines and hinder sandbox debugging and analysis.
Worse, after a months-long hibernation, Emotet re-emerged again in mid-July, taking the scenario above out of the realm of the theoretical and closer to the realm of the inevitable. And if the patterns of previous years are any indication, the worst may be yet to come for Emotet attacks.
How to protect from malicious Office 365 files
There are, however, several simple things you can do to protect yourself and others on your network, such as changing your Office 365 settings to disable scripts and macros, and keeping your endpoints and operating system up to date with the latest patches for Windows.
While Microsoft regularly patches vulnerabilities, there are enough people who let their updates lapse that attacks targeting these vulnerabilities succeed with shocking regularity. One example is Trickbot, a common secondary Emotet payload. Trickbot is capable of exploiting the Windows EternalBlue vulnerability, which many still have not patched more than three years later.
You’ll also need to invest in a quality cybersecurity solution, such as SonicWall Capture ATP. As reported in the Cyber Threat Report, during the first six months of 2020, SonicWall Capture ATP with Real-Time Deep Memory InspectionTM discovered 315,395 new malware variants — a 62% increase over 2019’s first-half totals.
Included as part of Capture ATP, RTDMI leverages proprietary memory inspection, CPU instruction tracking and machine learning capabilities to recognize and mitigate never-before-seen cyberattacks, including threats that do not exhibit any malicious behavior and hide their weaponry via encryption — attacks that traditional sandboxes will likely miss.
This is particularly important in cases such as Tom’s, as Trickbot and Emotet both use encryption to hide their misdeeds. Emotet is also capable of determining whether it’s running inside a virtual machine (VM), and will remain dormant if it detects a sandbox environment.