Microsoft OneDrive Used for Ransom Operations

Microsoft was called out recently after it was discovered that hundreds of malware files commonly used to launch Conti ransomware attacks are being hosted from their OneDrive cloud storage service. The news highlights once again that Microsoft needs to invest significant time and resources just to get its own security house in order—and why they have no business trying to sell customers cybersecurity solutions to problems they created. 

Target Rich Environment

Microsoft products are a primary target for cyber attacks. I know this first hand because I started my career conducting offensive nation-state operations that often exploited weaknesses and vulnerabilities in Microsoft software. It’s a simple numbers game. Cyber attackers are going to almost universally attack Microsoft products because Microsoft products make up almost all of the potential targets.

The Windows operating system has a virtual monopoly on the PC market. Microsoft officially released the newest version—Windows 11—just over two weeks ago on October 5. Already there have been 38 vulnerabilities discovered in Windows 11—25 of which are ranked as High or Critical in severity.

That is an average of more than two vulnerabilities discovered per day since its release—including remote code execution and privilege escalation vulnerabilities—in their flagship operating system.

Monetizing Failure

This is obviously a serious issue. It is even more concerning when you consider that organizations and IT security teams have been scrambling all year to put out fires from major security events that have targeted Microsoft flaws. Major attacks like SolarWinds, Colonial Pipeline, and HAFNIUM were made possible in large part thanks to Microsoft vulnerabilities.

If Microsoft products are the primary attack vector, and Microsoft vulnerabilities are one of the leading reasons that cyber attacks succeed, why does Microsoft have the audacity to think they should be selling customers cybersecurity tools?

You are paying tons of money for the Microsoft products and platforms in the first place. It doesn’t make sense to turn around, pay even more, and trust Microsoft to protect you when they can’t even defend their own software.

It’s like if General Motors sold you a car with bald tires, defective brakes, and no seat belts, and then offered to sell you roadside assistance and automobile insurance to “protect” you from the inevitable damage that would occur.

Kevin Beaumont—a former Microsoft threat intelligence analyst—declared on Twitter, “Microsoft are the world leaders in monetizing their own failure.” Beaumont also stated, “Microsoft cannot advertise themselves as the security leader with 8000 security employees and trillions of signals if they cannot prevent their own Office365 platform being directly used to launch Conti ransomware.”

Effective Security

You wouldn’t take diet and fitness tips from someone who is out of shape, smoking a cigarette, and selling you ice cream. You wouldn’t buy fire detection and prevention equipment from an arsonist. So you shouldn’t trust Microsoft to provide effective cybersecurity while they continue to flood the market with vulnerabilities and host malware from their own platforms.

Microsoft platforms and products are pervasive. It’s impractical for most organizations to even try to be free of Microsoft, and I don’t believe that should even be a goal. That said, Microsoft needs to focus on creating products that are more secure and stop coercing customers into accepting inferior security solutions through its E5 "bundled" licensing model. It is not even close to good enough security.

You can use Microsoft platforms and products but we need to disrupt this destructive pattern with technical innovation. The technology exists today. Look for an operation-centric solution in place that provides the visibility and context into entire malicious operations. This capability enables you to take immediate action to shut down malicious activity before damage is done. With effective security in place, you can defend your environment from endpoints to everywhere no matter what.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div