The Latest Check Point News
Product and Solution Information, Press Releases, Announcements
|Check Point CloudGuard SaaS protects customers from a new attack vector exploiting SLK files to install malware|
|Posted: Fri Jul 10, 2020 10:35:38 AM|
An internal security analysis revealed a new attack method, which bypasses default security (EOP) and advanced security (ATP) layers. This was detected when analysts noticed a suspicious increase in .slk files sent to some Office 365 accounts a couple of weeks ago.
In the attack, cyber criminals send an email with an attachment in the form of a .slk file that contains a malicious macro (MSI executable script), allowing them to control infected machines remotely, by installing a Remote Access Trojan. This attack is extremely sophisticated, and meticulously designed to bypass security tools.
How does the attack bypass advanced protection?
The attack specifically targets some Office 365 accounts. The email body and the malicious attachment are constructed in such a way that easily tricks users to believe the email came from a customer or partner they know, and therefore increases the likelihood of them opening the SLK file.
A quick explanation about SLK files: these outdated files are a Microsoft human-readable, text-based spreadsheet format. They were used as an open-format alternative to proprietary XLS files, before XLSX was introduced in 2007. In this attack, the hackers use these files since they look like normal Excel sheets to the end user, while allowing the hackers to bypass Advanced Threat Protection (ATP).
The first version of this kind of SLK files attacks were seen in 2018 and were eventually blocked by Microsoft ATP. However, this new attack includes a few obfuscation methods specifically crafted to bypass Microsoft’s ATP:
What can these malicious emails do?
If the attack is successful, the cyber criminals can control the infected machine and access all the information on it, whether it is sensitive data, confidential files, saved passwords and even saved payment methods, all potentially leading to critical business disruption and financial losses.
How does Check Point CloudGuard SaaS protect impacted Office 365 customers?
Check Point CloudGuard SaaS customers are protected from these kinds of attacks. CloudGuard SaaS blocks these attacks by leveraging its advanced sandboxing technology, Threat Emulation. As seen in the report below, there were several indicators ranging from file system events to network events that caused the attack to be flagged as malware, and therefore blocked.
Sign up for Check Point's live webinar to learn more about how CloudGuard SaaS blocks the most advanced attacks.
Furthermore, CloudGuard SaaS admins can gain additional insights by examining the emulation videos as well as the way the malware behaved over time. This type of advanced analytics allows administrators to not only become more educated about the attacks their organizations are facing, but also know that they have a security product that they can trust.
To get the best results, it is recommended to put CloudGuard SaaS in Prevent (Inline) mode. This way the attack will be stopped before it can ever reach the users’ mailboxes.