Despite fair warnings, Microsoft has allowed an old Excel format .SLK to get past their email security and infect Excel for Windows computers.
As reported by Avanan, criminals have found a way to bypass the email security for Office 365 hosted mailboxes (possibly Outlook.com as well), allowing an infected email attachment to reach Microsoft’s customers.
Hackers have written the .SLK to bypass Microsoft much-hyped ATP (Advanced Threat Protection) system. Even though the obfuscation tricks are relatively simple and well-known, they are in a combination that totally fools ATP which lets the infected attachment through to customers.
The infected attachment .SLK isn’t stopped by the Office Protected View which is supposed to stop code running from external sources. Instead the SLK attachment runs in Excel to infect a computer!
The infected emails seem to be very specifically targeted to companies and even individuals. Unlike most attacks which send out thousands or millions of emails, these attacks appear to be manually written or adapted to each target.
The attachment seems to be an Excel file (from the icon) but it’s really a .SLK file. That’s a very old and obsolete format that Excel still supports and, amazingly, trusts.
SLK files are a form of spreadsheet in plain text. The contents can fill cells with information and also run programs on the computer. It’s this second part that makes them so dangerous.
Bypassing Microsoft email checks
The hackers use Microsoft Hotmail.com addresses to send the infected emails to other mailboxes hosted by Microsoft (Office 365 hosting and perhaps Outlook.com). A random Hotmail account is created, used to send a few messages then they switch to another Hotmail address.
That appears to bypass some of Microsoft’s security checks. Because the message is sent between mailboxes hosted by Microsoft, the email appears to be trusted more than from an external source.
Using Hotmail lets the hackers check if their emails will get through. The same systems are used to check message sent and received at Microsoft hosted mailboxes. If the hackers can send an infected email without being blocked by Microsoft, they know it’s very likely to be delivered to the victims Inbox.
Microsoft’s Advanced Threat Protection (ATP) fails to detect the infected .SLK files. These plain text files are written to fool ATP. Some of the tricks are well-known and very simple but apparently enough to bypass ATP. See Office 365 baseStriker vulnerability as just one example of a simple hack.
.SLK files should be blocked by Microsoft.
As we’ll see, they are known to be dangerous. Google’s Gmail blocks .SLK attachments. Microsoft is probably reluctant to block a file format they created despite the security risk and rare public use today.
Bypassing Excel Protected View
When you open an Office document from the web or email attachment, it’s supposed to open in Protected View. That prevents macros or editing unless you specifically allow it.
Protected View is the last line of defence against a nasty document … or it should be.
.SLK files bypass Protected View!
Amazingly, .SLK files are not checked or blocked by Excel. Not even in the latest Excel 365 for Windows.
We made a simple .SLK file (it’s a plain text file) and opened it in Excel 365. It loaded into Excel with no Protected View warning, even when opened from an email attachment.
Yes, this is 2020.
Yes, we’ve been hearing about Microsoft’s commitment to security for well over a decade.
Yes, these gaping holes in Office security are still there.
Microsoft has known about the risks in .SLK files but done nothing about it. This isn’t the first time .SLK files have been used by hackers.
Back in November 2019 we talked about an Office for Mac long-standing security bug revealed. That let SLK files could run on Excel for Mac even though the security settings were supposed to stop notification and running of macros.
Microsoft’s recommendation then was using email security filters to block .SLK files. They said that with no apparent irony and notably didn’t take their own advice with ATP.
What to do?
Network Admins should seriously consider adding .SLK to the list of blocked incoming email attachments. Perhaps also remove the file association that opens .SLK into Excel and shows a deceptive green Excel icon.
Individual users should always check the file extension of an incoming file – not just the icon. Beware of SLK files and also old-style Office documents with three letter extensions such as .XLS .PPT and .DOC Why Old Office documents should be banned