Microsoft security analyst says Office 365 knowingly hosted malware

Alexandru Poloboc
by Alexandru Poloboc
News Editor
With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor, as well as TV and radio... Read more
Affiliate Disclosure
  • Microsoft is again at the center of a huge high-risk scandal.
  • A former security analyst decided to expose the tech giant.
  • Office 365 has been intentionally hosting malware for years.
  • This could actually be a massive hit for the Redmond company.
office 365 malware

Hold on to your seats and keep your arms inside the carriage at all times, because this ride is about to get bumpy.

A British tech researcher, who quit working as a security threat analyst with Microsoft a few months back, has called on his former employer to act swiftly and remove links to ransomware on its Office365 platform.

Bet you didn’t see that coming, did you?

Former Microsoft employee exposes ransomware scheme

In a tweet sent on Friday, Beaumont said that Microsoft cannot advertise themselves as the security leader with 8000 security employees and trillions of signals if they cannot prevent their own Office365 platform from being directly used to launch Conti ransomware.

He was, of course, responding to a tweet from an infosec professional using the handle TheAnalyst.

According to the security company Palo Alto Networks, BazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to an infected Windows host.

After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network.

An overwhelming majority of ransomware attacks only Windows, with an analysis by the staff of the Google-owned VirusTotal database last Thursday showing that 95% of 80 million samples were analyzed. 

VirusTotal is a site where security researchers can submit any ransomware they find and have it scanned by anti-virus engines to see if it can be identified.

Beaumont, who has a well-earned reputation as a researcher who is quick to admit faults in his own industry, acknowledged that other technology companies also played a big role in hosting malware.

He also said that there’s somebody in the replies from Microsoft saying when things are detected by Defender, they’re automatically taken down in OneDrive.

That’s categorically not true, that functionality isn’t there. Microsoft needs to have a long, hard look at this problem.

Bazarloader had moved from Google Drive to OneDrive, according to these recent allegations.

Their content used to be taken down from Google Drive almost instantly because, we, Microsoft, reported it to Google. It is still online, days later, on OneDrive despite being reported, because Microsoft is fumbling it. Fix it.

Asked by Lee Holmes, the principal security architect for Azure Security, whether he had reported this to Microsoft, Beaumont said the Swiss researcher had done so.

I had to do things list send to CERT, get nowhere, send to DSRE, get nowhere, cc in managers etc. O365 has https://abuse.ch takedowns pending for months.

Beaumont added that Microsoft’s attitude towards the presence of malware on its Office365 platform had been like that for years.

However, this is not a Microsoft-exclusive problem nor a new issue, as we have seen malware hosted on other platforms in the past. 

According to research by the Bern University of Applied Sciences, Google and Cloudflare are currently among the top online malware-hosting networks.  

As such, the entire tech industry needs to be better about finding malicious content hosted on its servers before looking elsewhere for problems. 

In any case, hopefully, this incident will drive Microsoft to decisive action that can help protect millions of people and thousands of organizations from debilitating malware attacks.

What’s your take on this whole situation? Share your opinion with us in the comment section below.

This article covers:Topics: