Using an old (but supported) Excel filetype, attackers can bypass both Exchange Online Protection and Advanced Threat Protection to run malicious macros.
Security researchers at Avanan have discovered a new attack method where cybercriminals send phishing emails that contain what appears to be an Excel spreadsheet. The file is actually an SLK file – a “Symbolic Link” Excel file used to transfer data between spreadsheet programs and other databases – to host a macro that launches an MSI script.
There are a few aspects of this attack that make it particularly worrisome for organizations using Microsoft 365:
- The phishing emails are targeted and are written in an organization-specific, and sometimes user-specific manner
- It appears to be an Excel file (because it is) which is a known file format
- Most Office users known not to enable macros (or have them administratively disabled) and, therefore, think it’s fine to open an Excel spreadsheet (“It can’t hurt me, right?”)
- The filetype currently bypasses all Microsoft 365 security
- Windows “Protected View” does not apply to SLK files, so the file is NOT opened in read-only mode, leaving the user vulnerable to attack
- The call to run the Microsoft Installer runs in quiet mode and installs a hacked version of NetSupport remote control
It’s dastardly, a bit brilliant, and VERY dangerous. Users that fall for the initial social engineering scam (again, one that is written specifically for the org and user targeted) will find themselves a victim upon opening the attachment.
Organizations need to first configure their Microsoft 365 tenant to block these extensions. But, because the SLK-based attack is just the next attack in a long line of those to come, it’s as important to teach users via Security Awareness Training to be mindful and vigilant with any inbound emails, looking for reasons to suspect they might be malicious in nature.