The security hole can be leveraged to gain access to an organization’s SharePoint site

Dec 11, 2013 09:29 GMT  ·  By

Microsoft has patched several vulnerabilities with the December 2013 security bulletins. One security hole that impacts Office 365 has been exploited by cybercriminals in targeted attacks, experts warn.

Researchers from Adallom have dubbed the attack “Ice Dagger” because it can be considered a perfect (cyber)crime. The attack doesn’t involve any malware payload that can be reverse engineered, no file hash to trace, no servers that can be confiscated, and no IP address to investigate.

The attack observed by Adallom has been aimed at a high-profile company from an unspecified industry sector. Experts are confident that the attack has been targeted because it starts with an email specifically written for this particular organization’s employees.

The email attempts to convince recipients to open a Word document by clicking on a link. After a close analysis, experts have determined that the document was actually being requested from a TOR hidden service.

What the victim doesn’t know is that while he’s retrieving a decoy document via the Office 2013 Desktop application – which is designed to integrate with Microsoft’s Office 365 cloud platform – a vulnerability is being exploited.

The flaw allows the attacker to gain access to the victim’s private Office 365 authentication token. Since the token has been valid for quite some time (at least a few weeks), the cybercriminal can use it to access the targeted organization’s SharePoint Online site and download or modify all of its content without the user ever realizing it.

Experts highlight that SkyDrive Pro is just as vulnerable to these attacks. Furthermore, the attackers can use PowerPoint, Excel and OneNote files as bait.

Only Office 2013 Desktop appears to be susceptible to the attack since it’s designed to integrate with Office 365. The vulnerability (CVE-2013-5054) was reported to Microsoft in late May 2013.

Check out the POC video published by Adallom: