Former Microsoft threat intelligence analyst Kevin Baumont flagged the company’s failure to prevent the use of their platforms such as Office 365 and OneDrive by attackers to launch Conti ransomware, which targets healthcare companies frequently.
In May 2021, the FBI reported 16 Conti ransomware attacks on US healthcare and first responder networks in just one year.
In a series of tweets punching holes in Microsoft’s claims on being prompt on security, Baumont called the company the world’s best malware hoster.
He further claims the malware managed to stay under the company’s radar for about a decade.
Baumont also said that he had brought these issues to the company’s attention when he worked there, but no concrete action was taken.
"Microsoft cannot advertise themselves as the security leader with 8,000 security employees and trillions of signals if they cannot prevent Office365 platform being directly used to launch Conti ransomware. OneDrive abuse has been going on for years,” said Baumont in one of his many tweets.
Beaumont also cited tweets by another cybersecurity expert named The Analyst on Twitter, who found that Microsoft was hosting hundreds of files of BazarLoader, which happens to be one of the most widely used malware by ransomware actors to get initial access into user’s systems through spam or phishing emails.
In July, security researchers reported a BazarLoader campaign that deployed a remote access tool Cobalt Strike, and triggered domain-wide encryption using Conti ransomware, according to The DFIR Report.
Baumont also retweeted a recent post by abuse.ch, which collects, tracks, and shares malware URLs with security analysts. The tweet shared a list of the time taken by the top ten sites to remove malware in 29 days of being reported. Microsoft had the worst reaction time of them all.
According to the list, Google hosted more malware but their reaction time of 14 days was half of the time taken by Microsoft to remove the malware.
In response to Baumont’s allegations, Microsoft spokesperson told The Register, "abuse of cloud storage is an industry-wide issue and we're constantly working to reduce the use of Microsoft services to cause
harm. We are investigating further improvements to prevent and rapidly respond to the types of abuse listed in this report."
In their response, Microsoft also urged customers to practice good computing habits and exercised caution when clicking on links to web pages, opening unknown files, or accepting file transfers. They also urged customers to report abuse using this form.