Experts blame Microsoft for not fighting malware Microsoft for not fighting malware

Well-known cybersecurity expert Kevin Beaumont, who worked at Microsoft as a threat analyst (from June 2020 to April 2021), criticized the company for not fighting malware and abuse of OneDrive and Office 365.

The fact is that Microsoft services are constantly being used to host malware. Usually, OneDrive accounts are used for this, which may have been created specifically for this purpose or stolen from legitimate users. It is also common to see malware hosted on corporate Office 365 accounts that have previously been compromised.

It all started with a recent report by an information security expert known as TheAnalyst, in which the abuse of Microsoft services was given a separate place. He wrote that, for example, the BazarLoader malware operators place their malware in Microsoft OneDrive and wondered: “Is Microsoft in any way responsible for this if they INTENTIONALLY place hundreds of files for more than three days leading to this [BazarLoader infection ]? “.

Let me remind you that BazarLoader is infected through spam messages. Attackers try to trick the recipients of such messages into opening a trojanized link. In this case, it was an ISO file containing a malicious DLL with a misleading label called “Documents”. The launch of such malware usually ends with a Conti ransomware attack.

In a report on TheAnalyst’s legitimate claims on Twitter, Beaumont responded as follows:

It’s funny, in MS we created a system to notify Google Drive about BazarLoader to block such links, which is why it happened so quickly (literally in a matter of minutes). Now they [the attackers] have moved into the Microsoft infrastructure that has this system, but they cannot force Office to delete the files. Microsoft documentation specifically recommends allowing some of the domains in question to prevent security solutions from validating content. Try to protect your business in such a situation.

Beaumont also adds:

Microsoft has no right to advertise itself as a leader in security, employing 8,000 security personnel and handling trillions of signals, unless they are able to prevent direct exploitation of its own platform Office365 to run Conti ransomware, and OneDrive has been abused for years.

It is worth saying that the site URLhaus, supported by the Swiss project at the Institute of Cybersecurity and Engineering at the University of Bern, maintains statistics that confirm the words of experts. For example, according to the latest data, Microsoft shows the worst response time to malware among the top 10 sites hosting the most malicious URLs. It usually takes more than 29 days to remove Microsoft malware.


Google also suffers from malware and removes it slowly, on average in 14 days, but it’s still twice as fast as Microsoft.


Microsoft representatives have already paid attention to the criticism of specialists and made the following comment regarding the current situation:

Cloud storage abuse is an industry-wide problem, and we are constantly working to reduce the abuse of Microsoft services. We are exploring further potential improvements to prevent and respond quickly to the various types of abuse listed in this report.
The company also notes that it always advises customers to exercise caution when following links to pages, opening or accepting unknown files.

Let me remind you that we also wrote that Researchers find four vulnerabilities in Microsoft Office.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button