Microsoft has just issued a new warning for millions of Windows users, with “threat actors increasingly using [new] tactics aimed at circumventing defense mechanisms.” These attacks have escalated over the last six months, and the company has now issued a detailed set of recommendations.
The attacks, which “misuse legitimate file hosting services, increasingly use defense evasion tactics involving files with restricted access and view-only restrictions.” Ultimately, though, there is still a reliance on a fraudulent website to harvest user credentials—this is the weak point of the attack chain and the best opportunity for users and their enterprises to stop attacks in their tracks.
Which leads to Microsoft’s recommendation to “leverage Microsoft Edge to automatically identify and block malicious websites, including those used in this phishing campaign.” This uses the linkage between Edge and Microsoft Defender SmartScreen to “provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a focused attack.”
Last month I reported on Microsoft issuing this same switch to Edge warning to Chrome users, on that occasion in the wake of a zero-day vulnerability its threat hunters had identified and which had prompted the US government to mandate all federal employees to updater Chrome or cease using the browser completely.
Microsoft’s advisory warned enterprises to encourage the use of “Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.” Put more simply—not Google Chrome.
As I commented at the time, “while there is a case for Edge over Chrome with regards to malware protection, it feels somewhat askew for a Microsoft product that competes with Chrome to be recommended in a security advisory for a CVE disclosed by Microsoft, now riding a wave of Chrome generated publicity.”
There isn’t that specific angle this time around, but Microsoft is pushing a joined up, enterprise approach to defending against such business compromises. The company is on a mission to switch Chrome users to Edge, and has been called out in the past for security warnings flashed to users when they install Chrome from a Windows PC. And so, set against that backdrop, this does seems part of that broader campaign.
The use of trusted file-sharing platforms—specifically Dropbox, Sharepoint and OneDrive—is designed to trick employees into opening files that seemingly come with their organization’s security wrap. “The widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.”
Such attacks are not new, but the recent twist Microsoft has identified is the use of files with access restricted to the recipient or those with view only settings, both of which are intended to trick enterprise security systems into giving links a pass and to trick users into trusting the malicious a payload.
“Often,” Microsoft says, “users from trusted vendors are added to allow lists through policies set by the organization on Exchange Online products, enabling phishing emails to be successfully delivered.” The attacks themselves have typical objectives—theft of organizational credentials and access to business systems and financial gain.
Because the chain starts with one compromise allowing the attack to originate inside a trusted environment, bad actors can also tune the filenames to appear relevant to ongoing engagements: “familiar topics based on existing conversations… for example, if the two organizations have prior interactions related to an audit, the shared files could be named ‘Audit Report 2024’.” Microsoft has also seen such file names and outreach use urgent headlines to prompt immediate action.
Once the user has run through MFA to access their legitimate file sharing platform, and “the user is successfully authorized and can view a document,” the next step is a a file “often masquerading as a preview, with a malicious link, which is another lure to make the targeted user click the ‘View my message’ access link.”
This link takes the user to the fraudulent website, crafted for the campaign, “where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage attack and continue the campaign.”
This is where the recommended enterprise use of Edge kicks in, but Microsoft also recommends the use of conditional access policies, which can restrict access based on analysis of various signals and the wider user of Microsoft Defender.
“By understanding these evolving threats and implementing the recommended mitigations,” Microsoft says, “organizations can better protect themselves against these sophisticated campaigns and safeguard digital assets.”
This isn’t the only current push for Windows users to switch to Edge, and we have just seen performance improvements highlighted as part of the campaign. But as I have commented before, the use of this joined-up enterprise approach to defending against business threats is clever. Pushing Edge as a CISO recommendation rather than a user choice would see more users, and if the browser performs maybe Edge will finally eat into Chrome’s staggering domination of the desktop browser market.
