skout-blog

Cyber101: OneDrive Hosting Malicious Files

One of our readers asked: “I saw an article online that said that OneDrive was hosting a ton of malicious files. Is that true? Do I need to be worried?”

You were probably referring to this article from BleepingComputer: [Microsoft OneDrive Has 60% Jump in Hosting of Malicious Files](Article Found Here) – and the headline is not incorrect, but the worry factor is limited. Let’s take a look at what’s going on and how to protect yourself.

OneDrive, DropBox, Box, and many other file sharing services exist out on the web in order to hold, backup, and sync your files on desktops, laptops, and mobile devices. These services are great – for non-confidential information – and offer a wonderful way to keep things handy and safe. All three of the big players use encryption to secure your data while it moves back and forth, and also “at rest” – when the data isn’t moving, but rather is sitting in the cloud system waiting for you to access it. Businesses around the country and the world use these services to share data between employees, and even with customers; so no doubt you will interact with them at some point even if you don’t use them yourself.

The issues discussed in the article stem from two specific circumstances that make Microsoft OneDrive a prime target for threat actors to use for a variety of different kinds of cyber attacks. First, as a file storage and sharing platform geared toward business (as part of the Office365 platform), OneDrive is allowed through most corporate firewalls and other security platforms. After all, since the employees use it in official capacities to do work, the network has to allow it to run. Secondly, since so many employees use OneDrive, if an employee gets infected with malware there is at least a good chance that some of that malware will end up in a OneDrive folder – which leads to it ending up in the OneDrive service.

Starting with the first circumstance, OneDrive is a de-facto standard for Microsoft Office file sharing and syncing in an overwhelming number of corporate infrastructures. Employees use OneDrive to collaborate on Word, Excel, and PowerPoint documents; they sync documents to and from different desktops, laptops, and mobile devices; and they back up data to OneDrive in case anything happens to any of those devices. Because of this, most companies have set up their networks and firewalls to allow OneDrive data to flow in and out, since otherwise the system wouldn’t be of much use to the employees. As such, OneDrive is also a great place to store malware you want to try to use to attack those employees via poisoned links or malicious emails. Since the file you’re trying to get the employees to download and run is already in OneDrive, the service won’t be blocked from delivering that file to the target.

Additionally, many forms of malware replicate themselves and/or change data on a victim’s laptop/desktop. Since that victim may be syncing to OneDrive (and probably is if it’s a corporate computer), files that become infected and even the malware itself can easily end up synced to OneDrive. If the employee is syncing a shared folder, then the malware can end up getting shared with multiple other employees who all use that same folder.

Even with a significant increase in malware found in OneDrive, protecting yourself is fairly straight-forward:

– Keep your computer up to date – and your mobile devices as well
– Keep anti-malware software running on your devices, and keep it updated
– Do not click on links in email – go to the site in your browser manually and log in, then find the item you need.
– Don’t open attachments that you do not already know the contents of. Email (not reply, start a new email) or call the person who sent it and confirm it.

If those sound familiar, that’s because they’re the same online hygiene tips we talk about quite a bit here. In this case, following those same guidelines will also protect you from attacks coming from OneDrive.

Microsoft OneDrive has become a critical component of many workplaces. Sharing files, collaborating on documents, and backing up data are all necessary in the modern workplace; and OneDrive allows you to do them all. Just don’t consider something safe by default when it comes from OneDrive – treat it like any other file or link you get from the rest of the web and you’ll be fine.

*Mike Talon is a Cybersecurity Architect and Journalist in New York. He’s currently working as the Solution Architect for the Greater New York City Area for SKOUT CYBERSECURITY*