Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
09:00 AM
Connect Directly

Malicious PowerShell Use, Attacks on Office 365 Accounts Surged in Q4

There was also a sharp increase in overall malware volumes in the fourth quarter of 2020, COVID-19 related attack activity, and mobile malware, new data shows.

For security teams, there was a lot more of everything to defend against in the final quarter of 2020 compared to previous months.

PowerShell threats grew 208%; Microsoft Office malware increased by 199%, while malware targeting mobile devices rose 118% between the third and fourth quarters of 2020. And COVID-19 related malware and threats surged 114%.

Related Content:

Global Dwell Time Drops as Ransomware Attacks Accelerate

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

A new analysis by McAfee of threat data during the period showed similar increases on several other fronts as well. The volume of malware threats detected on enterprise networks rose 10% to 648 threats per minute compared to 588 in Q3, 2020; ransomware once again grew in volume, this time by 69% and adversaries hammered cloud user accounts belonging to McAfee's customers with an astounding 3.1 million attacks in the last quarter of 2020.

McAfee's analysis showed that technology companies were the most targeted entities in Q4, followed by organizations in the public sector. Publicly reported attacks targeting the technology sector surged 100%, while those targeting public sector entities went up 93% in the last three months of 2020.

Sandeep Chandana, director at McAfee’s MVISION Cloud group, says a large portion of the cloud attacks in Q4 were targeted at Microsoft Office 365 accounts. The attacks could be classified as either distributed login attacks on hundreds or thousands of Office 365 accounts via compromised consumer devices, or targeted attacks on a small number of potentially high-value accounts.

Other security vendors have reported a similar increase in cloud attacks targeted at Office 365 environments over the past year. A March 2021 Vectra AI report based on a global survey of over 1,100 IT security professionals, for instance, showed that many organizations have increased their use of Office 365 because of the pandemic. More than seven-in-10 (71%) of the respondents said they had experienced an average of seven incidents where attackers had taken over a legitimate Office 365 account.

Chandana says there were other patterns around cloud native attacks in Q4 2020. "Recent cloud native attacks could also be categorized by the types of region-of-origin and target-industry-vertical," he says. "Attacks on financial organizations seemed to originate from one part of the world, while attacks on public sector tend to originate from a relatively different part of the world," he says.

Malware volumes overall increased 43% and continued to be the primary attack vector for most security incidents detected in Q4, followed by account hijackings of the sort targeted at Office 365 accounts. Exploits targeting new vulnerabilities meanwhile shot up 100% in Q4, while targeted attacks increased 43%.

PowerShell Surge

One factor complicating detection efforts at many companies was the sharp—and continued--use of PowerShell in attacks. A recent investigation by Red Canary showed that attackers commonly use command and script interpreters such as Windows Command Shell and PowerShell to execute malicious commands, and run scripts and binaries when carrying out an attack. Over 48% of organizations in Red Canary's study reported encountering incidents where PowerShell was part of the attack chain.

Raj Samani, chief scientist at McAfee, says there were specific campaigns in the fourth quarter of 2020 that dramatically increased reporting of incidents in this category. "PowerShell is a tool with both good and bad uses," he says. Organizations should consider their risk appetite when weighing decisions on whether to permit its use or not, he says. "If you are going to run PowerShell, you need to have mechanisms in place to monitor its usage," Samani notes.

And, he says, just because enterprise policies might not permit the use of PowerShell does not mean that PowerShell isn't being used anyway. "Anticipate it and monitor it within your environment."

The increase in malware and attack volumes that McAfee observed in the last three months of 2020 came amid signs that organizations are getting better at detecting security incidents on their own—something that has been a longstanding problem for many. A new analysis of a year's worth of intrusion data by FireEye Mandiant showed that in 59% of the incidents, the organization itself detected the intrusion initially—an improvement of 12% over the prior year.

However, in many cases organizations appear to have detected breaches only because they had been hit with ransomware, rather than because of improved threat detection capabilities.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/15/2021 | 5:48:17 PM
Powershell and Windows 10 has numerous restrictive capabilities
If the user did not want to allow PowerShell (PS) scripts from running (especially from a Web or email server), then why not add lines like the following:
  • $exec = get-executionpolicy ; if ($exec -eq "Bypass" -or $exec -eq "Unrestricted") { set-executionpolicy -executionpolicy "Restricted"}
  • Run "Get-ExecutionPolicy" again just to make sure it is set to "Restricted"

In addition, all ports (if web-server) should be blocked, except port 443 or 80 in some respects (Windows firewall can do that but there are ofcourse better options - PaloAlto is a good one that we use), not sure why the execution policy (if configured properly) would even allow remove exploits like this to penetrate the initial defenses).

  • netsh advfirewall firewall add rule name="Require Encryption for Inbound TCP/80" protocol=TCP dir=in localport=80 security=authdynenc action=allow

I would also go to "taskschd.msc" and look at the "Task Scheduler Library" to ensure there are no running "PS" scripts. The user can create a script to run to ensure the setting is always set to "Restricted"
  • schtasks /create /TN restrict /SC Daily /TR "powershell -c restrict.ps1" /ST 06:00

This ensures the system is set to restrict executionpolicy or set it to Restricted.

Also, Windows 10 uses Windows Defender Security Center to protect against these types of Attacks, this could have been overlookewell, lessons learned.


I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file