PROTECT OFFICE 365 EMAIL FROM RANSOMWARE 1
Ransomware, like disease, comes in many shapes, forms, and variations.  However, like a physical disease that may infect us, ransomware is never welcomed.  It generally leads to tremendous problems and unexpected consequences.  Ransomware can infect just about any type of resource that has underlying data.

The most well-known type of data that can become infected with ransomware is files.  However, there is another system and data type that ransomware can infect that many may not realize – email.  This includes both on-premises and cloud email such as Exchange Online found in Office 365.  How can you protect Office 365 email from ransomware?

Ransomware is now targeting cloud environments

There is no question that ransomware has evolved from the early days of “CryptoLocker” infecting on-premises workstations and encrypting local and network files.  Attackers are retooling ransomware for the shift in how organizations are building their infrastructure and making use of the cloud for file storage and other business-critical services like cloud email.

They are not only using data encryption but also the threat of data leak as a scare tactic to enforce payment of the ransom.  Examples of these types of ransomware variants that threaten data leak include Doppel paymer and Maze.  The evolution and risks of today’s ransomware are far beyond simple on-premises file encryption.

Also, as concerning as it may be, many organizations begin migrating data to the cloud before they have a proper disaster recovery (DR) plan in place.  Cloud migrations may start as a “test” or “POC” of cloud functionality.  It may be assumed that since it is only a POC, backups are not needed.

However, cloud environments often go from dev/test/POC to production very quickly and without proper transitioning.  On-premises email is generally one of the first business-critical systems migrated to the cloud.  Backups may not be retroactively added.

This leads to a “perfect storm” in the favor of attackers who knowingly capitalize on poorly protected data in cloud environments.  There are two ways to recover from ransomware:

  • Restore from backup
  • Pay the ransom

Attackers are hoping for the latter of the two.  If you have no backup of your cloud data, you really have no recourse to fully recover from a ransomware attack that wipes out data in your cloud environment.  Additionally, with the new threat of data leak that cybercriminals are using, even with the ability to restore from backup, your data is at risk of being leaked.

How are attackers infecting cloud environments with newly evolved ransomware?

How ransomware infects cloud environments

Understanding the attack vector helps you to protect where you are vulnerable.  This is true with ransomware.  Knowing the main attack vectors that cybercriminals are using to infiltrate your environment will help understand the best way to protect it.  Ransomware can infect your cloud environment in the following ways:

  1. Phishing emails
  2. Third-party applications or browser plugins
  3. File synchronization

1.  Phishing emails

According to recent data, the primary way that attackers are using to infect environments with ransomware is by way of phishing email attacks.  Verizon’s Data Breach Investigations Report (DBIR) – 2019, 94% of malware was delivered via email.  Phishing emails, as they are called, lure unsuspecting end users in with the appearance of legitimacy.  The attacker may mimic a well-known vendor, business, or even individual the end user is familiar with.  Most of us, when we feel like we know someone, we let our defenses down.
Once an attacker lures the end user in with a familiar look and feel to an email communication, the end user may be directed to click a link contained in the email or open an attachment.  Once they do, the ransomware infection begins to carry out the malicious activity of infecting the end user’s device and/or cloud environment.

Not long ago, hacker turned security researcher, Kevin Mitnick, demonstrated a new variant of ransomware that he dubbed “Ransomcloud”.  The ransomcloud infection as demonstrated is able to fully encrypt an end user’s cloud email inbox in real-time, right before their eyes.

How is the ransomcloud attack perpetrated?  As demonstrated, an Office 365 end user receives an email in their Exchange Online mailbox that is supposedly from a Microsoft security vendor.  The email directs the end user to grant the permissions needed to perform the cloud email security update.

Unbeknownst the end user, the link is granting the cloud ransomware the permissions needed to encrypt the Exchange online mailbox.  Once the permissions are granted, the attacker has everything needed to begin the encryption process.  Only a few moments later, emails are encrypted in real-time.

Even though cloud SaaS providers like Microsoft are incorporating versioning into cloud file storage like OneDrive for Business, there is no “rollback” mechanism for your cloud email.  Having a strong anti-SPAM and anti-phishing filter or service protecting your mail flow is a key requirement for your organization.  While these are not 100% effective, they generally help to filter out a large majority of malicious emails.

It is also imperative that you take backups of your Office 365 data seriously.  This includes backups of your organization’s Exchange Online email.  Email is a business-critical system that can certainly be disrupted by a cloud ransomware infection.

2.  Third-party applications and browser plugins

A nice feature of cloud SaaS environments like Microsoft 365 is the huge ecosystem of third-party apps and browser plugins.  Third-party apps and browser plugins can greatly extend the capabilities of Microsoft 365 and other cloud SaaS environments like G Suite.

Cloud SaaS environment marketplaces are vast.  If there is a feature or capability your cloud SaaS environment can’t do natively, there is most likely a third-party app that can add this functionality.  However, although third-party apps and browser plugins add a tremendous amount of functionality to your cloud SaaS environment, they also can introduce tremendous security risks.

Risky and even outright malicious third-party apps and browser plugins can easily compromise your cloud SaaS environment, including Microsoft 365.  How could a malicious third-party app introduce ransomware into your Microsoft 365 cloud environment?

As noted with the ransom cloud infection, attackers attempt to get end users to grant elevated permissions to the malicious app.  As it turns out, this is not terribly difficult for an attacker to pull off.  When most of us think about how closely we scrutinize permissions requested by a third-party app that we install on our mobile device, generally permissions are granted without much if any scrutiny.

Cloud environments use what is called OAuth permission delegation.  OAuth permission delegation allows an application to assume the cloud permissions of an end user without needing to know the account password.  This is accomplished by the application being granted a token which allows the app to authenticate to the cloud environment.

While OAuth permissions delegation allows streamlining the process of allowing third-party apps to integrate into cloud environments, it opens up a Pandora’s box of security issues.  Going back to the ransom cloud infection, the user accepting the permissions request of the “security tool” that requested access was the user granting OAuth permissions to the ransomware.  This easily allows the cloud email inbox to be encrypted as the ransomware has all the expressed permissions of the end user.

To protect your Office 365 email and other services like file storage from ransomware, your organization must limit and control the third-party apps and browser plugins that are allowed to access your cloud SaaS environment.

3.  File synchronization

Ransomware, even legacy ransomware, has long threatened cloud environments by means of file synchronization.  File synchronization can lead to encrypted cloud storage, even if the ransomware infection is on-premises.  How?  When ransomware infects files on a local on-premises workstation, those files are then synchronized by tools like OneDrive for Business.

Once the on-premises files are encrypted, the file synchronization utilities like OneDrive for Business simply view this as a change and will start synchronizing the changes.  Once all the encrypted files are synchronized, anyone who has access to the shared cloud storage will be prevented from accessing the potentially business-critical data.

Office 365 Ransomware Protection and Backups

Today’s ransomware variants targeting cloud environments require tools that offer a multi-layer approach to protecting your cloud, including cloud email.  With cloud email like Exchange Online, many IT admins may struggle with how to backup outlook emails in a way that protects end users from a widespread ransomware attack.
With Office 365, there is no native backup mechanism for backing up Exchange Online.  As mentioned earlier, even versioning that is included for OneDrive does not apply to Exchange Online.

If you are wondering how to backup office 365 including cloud email for your organization effectively, SpinOne is a solution that provides one of the most powerful ransomware protection mechanisms for your Office 365 cloud environment.  It uses an artificial intelligence (AI) driven approach that watches and protects your Office 365 environment in real-time.  It provides the following:

  • Automatic, fully-versioned, incremental backups
  • AI-driven ransomware protection module

SpinOne’s AI-driven approach fully automates and orchestrates the protection of your Office 365 environment, including cloud email, using the following automated approach:

  1. SpinOne protects your Office 365 environment, including cloud email with automatic backups
  2. It uses AI to detect a ransomware attack in real time
  3. The source of the ransomware attack is immediately blocked
  4. SpinOne algorithms identify the number of damaged files from the ransomware
  5. Your files are automatically recovered from SpinOne backups

SpinOne provides a dual-pronged, automated approach that combines both effective backups and AI-driven automation to effectively stop ransomware in its tracks before major damage can be inflicted.  The restore process is automated and orchestrated so there is no need for administrator involvement.

Check out a fully-featured trial version of SpinOne for your Office 365 environment here.