In a tweet sent on Friday, Beaumont said: "Microsoft cannot advertise themselves as the security leader with 8000 security employees and trillions of signals if they cannot prevent their own Office365 platform being directly used to launch Conti ransomware. OneDrive abuse has been going on for years. Fix it."
He was responding to a tweet from an infosec professional using the handle TheAnalyst, who wrote: "You all have read how #BazarLoader #BazaLoader leads to #ransomware, in particular #conti that doesn't care that they target healthcare etc?
You all have read how #BazarLoader #BazaLoader leads to #ransomware, in particular #conti that doesn't care that they target healthcare etc? Does @Microsoft have any responsibility in this when they KNOWINGLY are hosting hundreds of files leading to this, now for over three days? https://t.co/UxTDYVIXJF pic.twitter.com/uHUxzHRV8W— TheAnalyst (@ffforward) October 15, 2021
"Does @Microsoft have any responsibility in this when they KNOWINGLY are hosting hundreds of files leading to this, now for over three days?"
An overwhelming majority of ransomware attacks only Windows, with an analysis by staff of the Google-owned VirusTotal database last Thursday showing that 95% of 80 million samples analysed — all the way back to January 2020 — were aimed at Windows.
VirusTotal is a site where security researchers can submit any ransomware they find and have it scanned by anti-virus engines to see if it can be identified.
Beaumont said in another tweet: "Before the train of MS employees arrive saying ‘just report it’, try getting them and future ones taken down yourselves. I did. It was a disaster.
Before the train of MS employees arrive saying ‘just report it’, try getting them and future ones taken down yourselves. I did. It was a disaster.— Kevin Beaumont (@GossiTheDog) October 15, 2021
Check out Microsoft’s average reaction time (to abuse reports). They’re world’s best malware hoster for about a decade, due to O365. pic.twitter.com/95Riv0kmDg
"Check out Microsoft’s average reaction time (to abuse reports). They’re world’s best malware hoster for about a decade, due to O365."
And he added: "Amusingly MS consume your API and use it to block things on your lists in their security products (I was on the team doing it), but nobody wants to clean up the network. So get screwed, non-E5."
Beaumont, who has a well-earned reputation as a researcher who is quick to admit faults in his own industry, acknowledged that other technology companies also played a big role in hosting malware.
Quoting a tweet from a Swiss researcher [given below], he said: "And yes, it's not just Microsoft. Tech companies have got to do better."
Beaumont said: "There’s somebody in the replies from Microsoft saying when things are detected by Defender, they’re automatically taken down in OneDrive.
"That’s categorically not true, that functionality isn’t there. Microsoft need to have a long, hard look at this problem."
There you go. Let's see how long it takes for MS to get those 867 malware sites taken down. I'm crossing my fingers ?— abuse.ch (@abuse_ch) October 16, 2021
For the record, the oldest active malware site with an age of 19 months is hosted on Sharepoint and serving GuLoader:
? https://t.co/QGqi21z7JO pic.twitter.com/7FlkaZasP4
He said Bazarloader had moved from Google Drive to OneDrive. "Their content used be taken down from Google Drive almost instantly because, we, Microsoft, reported it to Google. It is still online, days later, on OneDrive despite being reported, because Microsoft is fumbling it. Fix it."
Asked by Lee Holmes, the principal security architect for Azure Security, whether he had reported this to Microsoft, Beaumont said the Swiss researcher had done so.
"@abuse_ch does, when I worked at MS I also reported them but usually they didn’t get actioned," he responded.
"I had to do things list send to CERT, get nowhere, send to DSRE, get nowhere, cc in managers etc. O365 has https://abuse.ch takedowns pending for months."
Beaumont said Microsoft's attitude towards the presence of malware on its Office365 platform had "been like that for years".
"@abuse_ch used to message me O365 misuse while I worked at MS, even working there it was a struggle to find people who could remedy issues," he added.
Had a support case recently where I was trying to request they take down malicious one note. Spent ages trying to tell me how to block an email. ?♂️— Robert Pearman (@titlerequired) October 15, 2021
Holmes then defended Microsoft, saying: "I was involved in the abuse reporting pipeline for Azure Storage, and can tell you that almost 100% of the Twitter threads calling out malicious content had never reported those URLs to Microsoft. MS does actively seek out malicious URLs as well, but no system has 100% visibility."
To which @abuse_ch responded: "I have applied for access for their anti abuse API 2y ago, never got a response. Managers ask me to fill out forms for reporting abuse (seriously?). There is no way to signal phishing sites to MS SmartScreen. Yes, this is 2021!"
Holmes then provided an URL for what he said was access to the API in question, and said: "If that fell into a black hole, then let's get that fixed :) There is API access so that you don't have to do anything manually."
@abuse_ch replied; "There you go. Let's see how long it takes for MS to get those 867 malware sites taken down. I'm crossing my fingers Crossed fingers. For the record, the oldest active malware site with an age of 19 months is hosted on Sharepoint and serving GuLoader".