Security Market Segment LS
Sunday, 17 October 2021 07:41

Infosec expert Beaumont slams Microsoft over hosting malware 'for years' Featured

Kevin Beaumont: "Check out Microsoft’s average reaction time (to abuse reports). They’re world’s best malware hoster for about a decade, due to O365." Kevin Beaumont: "Check out Microsoft’s average reaction time (to abuse reports). They’re world’s best malware hoster for about a decade, due to O365." Supplied

A British tech researcher, who quit working as a security threat analyst with Microsoft a few months back, has called on his former employer to act speedily to remove links to ransomware on its Office365 platform.

In a tweet sent on Friday, Beaumont said: "Microsoft cannot advertise themselves as the security leader with 8000 security employees and trillions of signals if they cannot prevent their own Office365 platform being directly used to launch Conti ransomware. OneDrive abuse has been going on for years. Fix it."

He was responding to a tweet from an infosec professional using the handle TheAnalyst, who wrote: "You all have read how #BazarLoader #BazaLoader leads to #ransomware, in particular #conti that doesn't care that they target healthcare etc?

"Does @Microsoft have any responsibility in this when they KNOWINGLY are hosting hundreds of files leading to this, now for over three days?"

According to the security firm Palo Alto Networks, "BazarLoader (sometimes referred to as BazaLoader) is malware that provides backdoor access to an infected Windows host. After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network."

An overwhelming majority of ransomware attacks only Windows, with an analysis by staff of the Google-owned VirusTotal database last Thursday showing that 95% of 80 million samples analysed — all the way back to January 2020 — were aimed at Windows.

VirusTotal is a site where security researchers can submit any ransomware they find and have it scanned by anti-virus engines to see if it can be identified.

Beaumont said in another tweet: "Before the train of MS employees arrive saying ‘just report it’, try getting them and future ones taken down yourselves. I did. It was a disaster.

"Check out Microsoft’s average reaction time (to abuse reports). They’re world’s best malware hoster for about a decade, due to O365."

And he added: "Amusingly MS consume your API and use it to block things on your lists in their security products (I was on the team doing it), but nobody wants to clean up the network. So get screwed, non-E5."

Beaumont, who has a well-earned reputation as a researcher who is quick to admit faults in his own industry, acknowledged that other technology companies also played a big role in hosting malware.

Quoting a tweet from a Swiss researcher [given below], he said: "And yes, it's not just Microsoft. Tech companies have got to do better."

Beaumont said: "There’s somebody in the replies from Microsoft saying when things are detected by Defender, they’re automatically taken down in OneDrive.

"That’s categorically not true, that functionality isn’t there. Microsoft need to have a long, hard look at this problem."

He said Bazarloader had moved from Google Drive to OneDrive. "Their content used be taken down from Google Drive almost instantly because, we, Microsoft, reported it to Google. It is still online, days later, on OneDrive despite being reported, because Microsoft is fumbling it. Fix it."

Asked by Lee Holmes, the principal security architect for Azure Security, whether he had reported this to Microsoft, Beaumont said the Swiss researcher had done so.

"@abuse_ch does, when I worked at MS I also reported them but usually they didn’t get actioned," he responded.

"I had to do things list send to CERT, get nowhere, send to DSRE, get nowhere, cc in managers etc. O365 has takedowns pending for months."

Beaumont said Microsoft's attitude towards the presence of malware on its Office365 platform had "been like that for years".

"@abuse_ch used to message me O365 misuse while I worked at MS, even working there it was a struggle to find people who could remedy issues," he added.

Holmes then defended Microsoft, saying: "I was involved in the abuse reporting pipeline for Azure Storage, and can tell you that almost 100% of the Twitter threads calling out malicious content had never reported those URLs to Microsoft. MS does actively seek out malicious URLs as well, but no system has 100% visibility."

To which @abuse_ch responded: "I have applied for access for their anti abuse API 2y ago, never got a response. Managers ask me to fill out forms for reporting abuse (seriously?). There is no way to signal phishing sites to MS SmartScreen. Yes, this is 2021!"

Holmes then provided an URL for what he said was access to the API in question, and said: "If that fell into a black hole, then let's get that fixed :) There is API access so that you don't have to do anything manually."

@abuse_ch replied; "There you go. Let's see how long it takes for MS to get those 867 malware sites taken down. I'm crossing my fingers Crossed fingers. For the record, the oldest active malware site with an age of 19 months is hosted on Sharepoint and serving GuLoader".

Read 4932 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News