Skip navigation
industry news

Ransomware Evades Antivirus and Microsoft Security Tools, Targets Office 365

At least 57 percent of all Office 365 customers received a phishing attempt that delivered the Cerber ransomware to their Windows devices, reports Avanan, a cloud security provider.

Sent via email, an attached Microsoft Word document asked users to click the ‘Enable Content’ button to view the content of the document. That enables macros and allows the ransomware to download onto a user’s computer.

Office 365 Ransomware Cerber

The ransomware asks for 1.24 Bitcoins or about $500 to get their files back - delivering its demands in a voice message that plays when a user attempts to open a file.

The virus was able to evade antivirus and other security detection, bypassing Office 365 security tools. A report from Invincea’s security researchers found that Cerber payloads are all uniquely hashed. That makes it harder to be detected by traditional antivirus solutions, according to a blog by Graham Clueley.

It took Microsoft more than 24 hours to detect the attack and block the attachment, according to

Ransomware is on the rise, as FBI figures show that ransomware victims reported the costs of the attacks to reach $209 million in the first quarter of 2016, compared to $24 million in 2015, as reported by

What’s the best defense against infection?

  • Use a phishing tool to first measure your organization’s level of risk - run a drill, phish your employees, then educate them on how to avoid clicking on suspicious links and email attachments.
  • Disable macros in your Microsoft Office programs. The Hacker News has a useful guide on securing your computer against macro-based malware.
  • Shift your focus to protecting endpoints for prevention, rather than detection.
  • Get visibility into your endpoints with a tool that identifies any out-of-date or security-lacking devices on your network. That includes old browsers, operating systems or plugins; or devices that lack screen locks or passcodes, or may be jailbroken.
  • Updating your endpoints to the latest software can stop an attacker from exploiting a vulnerability in order to install malware on one endpoint and spread it throughout your networks.
  • Back up your data, and store it separately from your local network/computer. CryptXXX and other types of ransomware will encrypt not only files on an infected PC, but also any files found on connected storage devices.
  • Establish an incident response and data recovery plan in case you do get infected.

Learn more about protecting Office 365 with access and authentication security policies, including how to secure single sign-on (SSO).