Security News

Microsoft has addressed important severity remote code execution vulnerabilities affecting multiple Office products in the January 2021 Office security updates. Microsoft also released non-security Office updates last week addressing bugs that may lead to PowerPoint crashes and other issues affecting Windows Installer editions of Office 2016, Office 2013, and Office 2010 products.

A phishing campaign bent on stealing Microsoft login credentials is using Google Firebase to bypass email security measures in Microsoft Office 365, researchers said. Clicking the thumbnail or "View File" link leads to the final phishing page, asking victims to log in with their Microsoft credentials, and asks them to provide alternate email addresses or phone numbers - an effort to collect data that could be used to get around two-factor authentication or account recovery mechanisms.

Microsoft has released the January 2021 non-security Microsoft Office updates with fixes for known issues impacting Windows Installer editions of Office 2016 products. Microsoft has also released non-security updates in Current Channel releases for Microsoft 365 Apps to address Excel crashes and Outlook hangs.

Asigra software version 14.2 support for the Microsoft software suite empowers solution providers to significantly lower cybersecurity threats targeting backup repositories with MS Office 365 data. Asigra Cloud Backup with Deep MFA allows users to easily schedule the creation of point-in-time backup copies of mailboxes and corporate data residing in Microsoft Office 365 Exchange Online, Office 365 Groups, SharePoint Online, and OneDrive for Business - with no limitations on data volumes or number of mailboxes.

The attackers behind the attack leveraged hundreds of compromised, legitimate email accounts in order to target organizations with emails, which pretended to be document delivery notifications. In reality, the phishing attack stole victims' Office 365 credentials.

Microsoft has addressed critical remote code execution vulnerabilities in multiple SharePoint versions with this month's Office security updates. Redmond also issued the December 2020 Patch Tuesday security updates, with security updates for 58 vulnerabilities, nine of them rated as Critical.

With 85% product growth year-over-year in Q3'20, Veeam Backup for Microsoft Office 365 has exceeded 133,000 downloads across tens of thousands of organizations, which are relying on Veeam to protect their Office 365 data, including Exchange Online, SharePoint Online, OneDrive for Business, and now backup and recovery specifically built for Microsoft Teams. The Teams configurations, which include settings, members and team structure, are vital components to ensure Teams data is fully protected and easily recoverable. Veeam is meeting this critical business need with our new version of Veeam Backup for Microsoft Office 365.".

Microsoft has released the November 2020 non-security Microsoft Office updates with performance enhancements and fixes for known issues impacting Windows Installer editions of Office 2016 products. Four of the Office November 2020 non-security updates apply to the entire Microsoft Office 2016 software suite, while five others address issues impacting standalone Office products like Word, Project, and Visio.

During an upcoming presentation at HITB CyberWeek 2020, Ashar Javed, a security engineer at Hyundai AutoEver Europe, will share stories from his journey towards discovering 365 valid bugs in Microsoft Office 365. I found literally hundreds of bugs in Office 365 but my favourite are All your Power Apps Portals belong to us and Cross-tenant privacy leak in Office 365.

Researchers are warning of an ongoing Office 365 credential-phishing attack that's targeting the hospitality industry - and using visual CAPTCHAs to avoid detection and appear legitimate. Though the use of CAPTCHAS in phishing attacks is nothing groundbreaking, this attack shows that the technique works - so much so that the attackers in this campaign used three different CAPTCHA checks on targets, before finally bringing them to the phishing landing page, which poses as a Microsoft Office 365 log-in page.