Many organizations were impacted by a ransomware attack known as WannaCry. While Microsoft’s threat analysts have found that thus far WannaCry spreads mostly over local networks and the Internet, and while we are not seeing the campaign propagating via email, the attacks have the potential of leveraging common email phishing tactics and or emails which include malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources.
In March, Microsoft released a security update which addresses the vulnerability that these attacks are exploiting. Customers who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010. Additionally, Microsoft has provided a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack.
For our customers using Office 365, please note how the following services can help protect you against WannaCry attacks:
For our customers using Office 365, please note how the following services can help protect you against WannaCry attacks:
Exchange Online Protection (EOP): While we are not currently seeing a WannaCry email campaign in Office 365 EOP, we have updated anti-virus signatures to block WannaCry to help protect our customers. We will continue making updates to our anti-virus signatures in EOP based on known file hashes for this malware.
Advanced Threat Protection (ATP): ATP should catch new variants of WannaCry if email is leveraged as an attack vendor. We’ve confirmed this by analyzing the WannaCry malware in ATP. When we detect any new variant in ATP, we will subsequently update the signatures in EOP. Office 365 ATP also works with Windows Defender ATP to help protect users and systems from attacks.
To ensure optimal performance of EOP/ATP it is very important to check that EOP is properly configured. Follow these EOP configuration guidelines and these best practices.
Office 365 Threat Intelligence (TI) can help show emails that were part of the WannaCry campaign. While some early reports used common phishing techniques, masquerading as wire transfer requests, invoices and delivery notifications,. Office 365 Threat Intelligence can be used to search for the malware family “Win32/WannaCrypt” in the event that any emails related to WannaCry targeted your tenant. To identify messages that were involved in the WannaCry campaign:
1. Go to the Office 365 Security and Compliance center
2. Under “Threat Management” click on the “Threat Explorer” option
3. Once in Threat Explorer search for the malware family “Win32/WannaCrypt”
4. If an instance of WannaCry entered your tenant through Office 365, it will show up in the graph
Office 365 Advanced Security Management: You can create an activity policy that can detect if a user renames/syncs/uploads multiple files with the file extension .wncry (or any other extension) to Office 365, and automatically suspend the user’s account to help stop further encrypted files from being transferred. For more details, please review “Detect ransomware activity” section of the Advanced Security Management Use Case and Usage Guide.
1. On the Policies page, click Create activity policy
2. In the Policy Template field, choose Potential ransomware activity
3. Optional: check the Suspend user
4. Click on Create
To simulate an alert, simply rename the file extension for one or more files per the policy configuration above. The alert should be trigger shortly.
If you suspect that any WannaCry emails have landed in your users’ inbox, go to the Microsoft Malware Protection Center for instructions on how to submit samples so that we can further investigate and provide recommendations and next steps.
For more details about WannaCry please read our posts at the Microsoft Security Response Center and Microsoft Malware Protection Center.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.