There has been a lot of media attention concerning the recent Microsoft Exchange server vulnerabilities that cybercriminals are exploiting to execute their malicious ransomware attacks. As a result, many organizations still holding on to their on-premises email infrastructure environments are considering migrating to Microsoft 365 (formerly known as Office 365) to lessen their risk exposure.
This raises the question of whether online Exchange is also vulnerable to ransomware. Are you simply trading one vulnerable ecosphere for another when migrating to Microsoft 365?
The World’s Biggest Target
First and foremost, a locally maintained Exchange environment of a typical SMB is certainly more vulnerable to a ransomware attack than Online Exchange. While many organizations don’t have personnel dedicated to keeping their Exchange systems fully patched and up-to-date, Microsoft does—it’s poor patching practices that are so widely exploited. Microsoft 365, on the other hand, is a security fortress, protected by large teams of highly skilled cybersecurity specialists.
That doesn’t make Microsoft 365 impenetrable, however. The irony is that with so many organizations congregating their Exchange environments into a single online multi-tenant environment, it creates an almost irresistible target. When all the low-hanging fruit is gone, hackers are forced to direct their efforts to beating the Microsoft 365 system.
Why On-Premises Attacks are More Effective
There have been instances in which an organization fell victim to a ransomware attack that involved Microsoft 365. In most cases, the involvement was simply due to collateral damage, i.e., the perpetrators of the attack didn’t target it.
An attack levied against a company’s Microsoft 365 system currently looks something like this:
- An attacker launches a credential stuffing attack or phishing attempt against privileged users within the organization, leading to the compromise of those credentials.
- This grants them access to the user’s OneDrive account or SharePoint library, allowing them to exfiltrate those files for extortion.
- They can then then take advantage of synchronization mechanisms by encrypting the files locally. Not only are the encrypted files synchronized with the online repository, but the encryption will also spread to any users that synchronize the files to their local machines.
While the file versioning feature of the online file applications gives users the ability to easily revert to a clean prior version, it is far from foolproof. Using the user’s privileges, an attacker can simply disable the versioning feature, or manipulate it in such a way that circumvents the available fallback strategy.
While this scenario is certainly a real and viable threat, it has a major shortcoming—it’s incredibly slow. It’s far faster to encrypt files in rapid succession from within the network itself, rather than depending on online synchronization services. The longer an attack takes to be implemented, the greater the chance of it being detected by someone.
Moving Targets
While Online Exchange is vulnerable to ransomware attack, it isn’t practical—yet. Ransomware gangs are currently much better off targeting on-premises installations, but that doesn’t mean things won’t change. Cybersecurity is a moving target due to the dynamic nature of the threat landscape, and you can be confident that hackers are working on a solution to the challenge right now.
