A new Office 365 threat has been discovered that stealthily downloads malware by masking communications and downloads by targeting legitimate Windows components.

The attack begins with malspam including a malicious link included in an email. Various themes could be used to encourage users into visiting the link, although one of the latest campaigns masquerades as emails from the national postal service in Brazil.

The emails claim the postal service tried to deliver a package, but the delivery failed as there was no one home. The tracking code for the package is listed in the email and the user is requested to click the link in the email to receive the tracking data.

In this instance, clicking the link will lead to a popup asking the user to confirm the installation of a zip file, which it is claimed includes the tracking information. If the zip file is downloaded, the user will be asked to click on a LNK file to receive the information. The LNK file runs cmd.exe, which executes a Windows Management Instrumentation (WMI) file: wmic.exe. This legitimate Windows file will be used to communicate with the attacker’s C2 server and will establish a copy of another Windows file – certutil.exe in the %temp% folder with the name certis.exe. A script then runs which tells the certis.exe file to connect to a different C2 server to install malicious files.

The focus of this attack is to use authentic Windows files to install the malicious payload: A banking Trojan. The use of legitimate Windows files for communication and installing files helps the attackers bypass security controls and download the malicious payload unnoticed.

These Windows files can install other files for legitimate purposes, so it is hard for security teams to identify malicious activity. This campaign focuses on users in Brazil, but this Office 365 threat should be a worry for all users as other threat actors have also adopted this tactic to download malware.

Due to the complexity in distinguishing between legitimate and malicious wmic.exe and certutil.exe activity, blocking an office 365 threat such as this is simplest at the initial point of attack: Stopping the malicious email from being sent to an inbox and providing security awareness training to workers to help them spot this Office 365 threat. The latter is vital for all companies. Employees can be turned into a strong last line of prevention using security awareness training. The former can be completed with a spam filtering solution like SpamTitan. SpamTitan will stop the last line of defense from being challenged.

Microsoft uses many different ways to spot malspam and prevent malicious messages from arriving in users’ inboxes; however, while efforts have been made to improve the effectiveness of the spam filtering controls of Office 365, many malicious messages are still reaching their destinations.

To enhance Office 365 security, a third-party spam filtering solution should be implemented. SpamTitan has been created to allow easy integration into Office 365 and provides superior security from a wide variety range of email threats.

SpamTitan uses a range of different methods to stop malspam from being sent to end users’ inboxes, including predictive techniques to discover threats that are misidentified by Office 365 security controls. These methods ensure industry-leading catch rates of over 99.9% and stop malicious emails from arriving in inboxes.