Take No Ransomware Prisoners with Office 365

While somewhat eclipsed by other threat vectors in recent years, ransomware remains a significant danger to organizations migrating to cloud-based platforms like Microsoft Office 365.  

Compromised cloud login credentials, public links, infected emails, and easily accessible file shares are just some of the ways ransomware pivots off other cloud apps to penetrate the Office 365 environment. Indeed, Symantec research previously found that every 131 emails contained a malware attack, and 61% of organizations were hit with ransomware in 2016.

Symantec’s latest Internet Security Threat Report (ISTR) found that while overall ransomware attacks were down 20% in 2018, the vector continued its assault on the enterprise, increasing 12% and accounting for 81% of all ransomware infections. Email campaigns remain the primary means of entry, and Symantec telemetry found that Microsoft Office users were the most at risk of falling for email-based malware. The research revealed that nearly half (48%) of malicious email attachments are in fact Office files, a leap from 5% in 2017. Mobile ransomware is also becoming a bigger problem, growing by 33% in 2018.

The high-profile Cerber ransomware targeted millions of Office 365 users via a phishing campaign in 2016, encouraging users to click on a bogus email attachment, which then encrypted their photo, video, and document files and demanded a ransom in order to unlock them. Follow-on targeted attacks were conducted by the SamSam group in 2018—Symantec’s 2019 ISTR found evidence of 67 SamSam attacks, most aimed at organizations in the United States.

While Office 365 has built-in security protections, they aren’t enough to detect and analyze every malicious file and emails for ransomware, let alone prevent them from ever reaching enterprise users. Office 365 has some limitations in its security controls that organizations need to address.

To stop the flow of ransomware, organizations need to prevent malicious files and emails from getting to users, mainly by instituting cloud-sharing permissions. On the chance ransomware is able to infiltrate the enterprise environment, IT organizations need a way to minimize the damage by detecting and interrupting what could potentially turn into a mass encryption event.

The Symantec Defense

The combination of email security technologies and a Cloud Access Security Broker (CASB) can help deliver the visibility and protections necessary for stopping ransomware in its tracks. As part of Symantec’s security portfolio, Email Security.cloud is employed to detect ransomware, among other threats, in, or attached to, emails while blocking users from accessing links to malicious web sites. CloudSOC, Symantec’s CASB solution, picks up protection from there by extending visibility and control into Office 365 apps beyond email and to other cloud applications.

Both Email Security.cloud and CloudSOC are fortified by Symantec’s antimalware engines, machine learning, and sandbox techniques to identify advanced threats. CloudSOC, for example, employs a sophisticated machine learning-infused analytics engine to continuously monitor user behavior and access to identify risky behavior patterns, including abnormal log-in and cloud access, encrypted file activity, and unusual uploads, downloads, or data destruction. For example, the behavior analytics capabilities could detect and flag as suspicious a particular user account that continuously downloaded content from a corporate Office 365 app and then uploaded the same content to personal file sharing apps.

Symantec’s Email Threat Isolation technology provides another layer of protections. This capability will automatically direct users to an isolated, secure, and disposable container where they can safely click on suspect links or interact with questionable websites without infecting the greater enterprise with ransomware or other malware. The technology also prevents users from downloading suspect files and will not allow them to submit their corporate credentials, preventing further attacks.

The Email Threat Isolation and machine learning technologies are bolstered with threat intelligence input gathered from Symantec’s Global Intelligence Network, billed as the largest civilian threat database.  There are thousands of small, micro clues about whether something is good or bad traffic and the system uses pattern matching and machine learning to interpret incoming emails and prevent against future attacks.