New Malicious .slk Files Are Bypassing Microsoft 365 Security and Putting 200 Million Users at Risk

New Malicious .slk Files Are Bypassing Microsoft 365 Security and Putting 200 Million Users at Risk

Avanan’s security analysts have detected new malicious .slk files bypassing Microsoft 365 security, risking 200M+ users. In this attack, hackers send an email with an .slk attachment that contains a malicious macro (MSI exec script) to download and install a remote access trojan. The attack specifically targets Microsoft 365 accounts and until recently, was isolated to a small number of organizations. This has changed. Please find below the attack details.


SYLKin Attack: New Malicious .slk files are bypassing Microsoft 365 Security, Risking 200M+ UsersShare


A new attack method bypasses both Microsoft 365 default security (EOP) and advanced security (ATP). At the time of writing, Microsoft 365 is still vulnerable and the attack is still being used extensively against Microsoft 365 customers.


This week, Avanan’s Security Analysts detected a significant increase in the usage of .slk files in attacks against Microsoft 365 customers. In this attack, hackers send an email with an .slk attachment that contains a malicious macro (MSI exec script) to download and install a remote access trojan.


It is a very sophisticated attack with several obfuscation methods specifically designed to bypass Microsoft 365. More details below.


Gmail customers are safe from this attack – Google blocks it on incoming email and makes it impossible to send them as an attachment from a Gmail account.


What should I do?


If you are an Avanan customer and in Protect (Inline) mode, this attack is blocked and users will not see them in their inbox. If you are in Monitor Mode, we recommend that you move to Protect (Inline) mode.


Alternatively, we recommend you configure your Office 365 account to reject files of this type. SLK files are relatively rare, so unless you ha ..