Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft Outlook security. Show all posts
Microsoft Outlook security
Bug Fixes Cyber Attacks Microsoft Microsoft Outlook security

Microsoft Probes Outlook Bug Blocking Encrypted Emails Across Tenants

 

Microsoft is investigating a newly identified issue that prevents users of the classic Outlook client from opening encrypted emails sent by other organizations. 

The company confirmed the problem in a recently updated support document, noting that the bug affects customers across all Office release channels. 

According to Microsoft, users attempting to access such emails may encounter the error message: “Configuring your computer for Information Rights Management.” The glitch impacts OMEv2 (Office Message Encryption version 2) messages when sent across different tenants, creating disruptions for enterprise communication. 

Temporary workaround provided 

While the root cause is still under review, Microsoft has issued a temporary fix. Impacted organizations can either exclude external users from Conditional Access policies or enable cross-tenant settings that allow authentication tokens to be trusted between Entra tenants. 

The company recommends the second option as the simpler solution. Administrators can enable cross-tenant access by navigating to the “Inbound access settings – Default settings” page in the Microsoft Entra admin center, selecting “Trust settings,” and then enabling “Trust multifactor authentication from Microsoft Entra tenants.” 

Microsoft cautioned, however, that this workaround only ensures encrypted emails sent from an organization can be opened by others. 

To access encrypted messages received from a different tenant, the sending organization must also apply the same configuration. Ongoing investigation The Outlook and Purview teams are currently working on a permanent resolution. 

Microsoft has assured customers that updates will be shared once more information is available. 

This is the latest in a string of Outlook-related bugs addressed by Redmond (a global headquarter of Microsoft) this year. 

In June, the company resolved a crash affecting the classic Outlook client when opening or composing emails. Later, in August, it mitigated an Exchange Online issue that blocked mobile users relying on Hybrid Modern Authentication. 

With encrypted communications becoming central to enterprise security, a swift resolution will be crucial to ensure seamless cross-tenant collaboration.
Read more »
Microsoft Outlook security
Advanced persistent threats (APT) Cyber-Espionage Data malware Malware Detection Microsoft Outlook security

Cyber-Espionage Malware FinalDraft Exploits Outlook Drafts for Covert Operations

 

A newly identified malware, FinalDraft, has been leveraging Microsoft Outlook email drafts for command-and-control (C2) communication in targeted cyberattacks against a South American foreign ministry.

Elastic Security Labs uncovered the attacks, which deploy an advanced malware toolset comprising a custom loader named PathLoader, the FinalDraft backdoor, and multiple post-exploitation utilities. By exploiting Outlook drafts instead of sending emails, the malware ensures stealth, allowing threat actors to conduct data exfiltration, proxying, process injection, and lateral movement while minimizing detection risks.

The attack initiates with the deployment of PathLoader—a lightweight executable that runs shellcode, including the FinalDraft malware, retrieved from the attacker's infrastructure. PathLoader incorporates security mechanisms such as API hashing and string encryption to evade static analysis.

Stealth Communication via Outlook Drafts

FinalDraft facilitates data exfiltration and process injection by establishing communication through Microsoft Graph API, transmitting commands via Outlook drafts. The malware retrieves an OAuth token from Microsoft using a refresh token embedded in its configuration and stores it in the Windows Registry for persistent access. By leveraging drafts instead of sending emails, it seamlessly blends into Microsoft 365 network traffic, evading traditional detection mechanisms.

Commands from the attacker appear in drafts labeled r_, while responses are stored as p_. Once executed, draft commands are deleted, making forensic analysis significantly more challenging.

FinalDraft supports 37 commands, enabling sophisticated cyber-espionage activities, including:

  • Data exfiltration: Extracting sensitive files, credentials, and system information.
  • Process injection: Running malicious payloads within legitimate processes such as mspaint.exe.
  • Pass-the-Hash attacks: Stealing authentication credentials to facilitate lateral movement.
  • Network proxying: Establishing covert network tunnels.
  • File operations: Copying, deleting, or modifying files.
  • PowerShell execution: Running PowerShell commands without launching powershell.exe.

Elastic Security Labs also detected a Linux variant of FinalDraft, which utilizes Outlook via REST API and Graph API while supporting multiple C2 communication channels, including HTTP/HTTPS, reverse UDP & ICMP, bind/reverse TCP, and DNS-based exchanges.

The research team attributes the attack to a campaign named REF7707, which primarily targets South American governmental entities. However, infrastructure analysis indicates links to Southeast Asian victims, suggesting a larger-scale operation. The investigation also revealed an additional undocumented malware loader, GuidLoader, designed to decrypt and execute payloads in memory.

Further examination showed repeated attacks on high-value institutions via compromised telecommunications and internet infrastructure in Southeast Asia. Additionally, a Southeast Asian university’s public-facing storage system was found hosting malware payloads, potentially indicating a prior compromise or a foothold in a supply chain attack.

Security teams can utilize YARA rules provided in Elastic’s reports to detect and mitigate threats associated with GuidLoader, PathLoader, and FinalDraft. The findings underscore the increasing sophistication of cyber-espionage tactics and the need for robust cybersecurity defenses.
Read more »
Subscribe to: Comments (Atom)