For several weeks, we detected (and blocked) an attack targeting one of the largest municipalities in the U.S. that bypassed Office 365 default security, using a simple yet extremely devastating form of malware contained in an .ace file.

Although using .ace files to spread malware is a tactic commonly used by hackers, O365's defenses did not flag these as malicious and let them through. We are happy to update that this hole in O365 seems to have been fixed this week.

Though this customer has several security tools enabled on their Avanan account, this malware was originally found by Check Point Sandblast. (So, credit goes to Check Point on this one.)


What is an .ace File?

.ace or "ACE" is a data compression file format, similar to a .zip, mostly used by WinAce, an archiving program created by Windows. Where .zip and .ace files differ are in speed and compression ratio: .ace files are compressed much faster with a higher compression ratio. The other notable difference is in their commonality. The .zip file type is much more common, and outside of WinAce, it is rare to see an .ace file used.


How Are They Used in This Attack?

In this particular attack, an email spoofed to looked like it was a tracking notification from DHL was sent to an executive level government employee working for a major US city. In reality, the notification contained an .ace file as an attachment that, when opened, contained a trojan (SRC file) inside of it. This method of launching a trojan upon the opening of a compressed file is a technique known as Archive Inflation, since the compressed archive file is inflating into something much larger (and in this case, malicious) when opened.


What Does The Attack Do?

Although we blocked the attack, we were able to see the intended results of the attack using our sandboxing tools. Once the trojan is deployed, it takes over the computer and begins pulling data from all the browsers in use on the computer—Chrome, Firefox, Opera, Interned Explorer, etc. From these browsers, it tries two different methods to steal the user's credentials:

1. Searches for Cached Passwords.

Looking through the browsers cache, the trojan attempts to pull saved passwords from the user's accounts. This can be anything from email passwords to banking logins.

2. Session Hijacking 

If no passwords are stored anywhere, then hacker will then use a method called session hijacking. By taking all the cookies from the user's browsers, the hacker can get into all of the accounts without the need for a password. Since the cookies tell the browser that it is a continued session, the hacker can go into the user's email and banking sites without ever being prompted for a password. To the browser, it will appear as if they have always been logged in.


Why Did Microsoft Miss this Attack?

Although .ace attacks have been around a long time, we have been catching a number of them being used against large organizations who have deployed our product. While this may seem strange, the use of old attack vectors is quite common and can often be more bountiful for hackers than more modern attack methods. The two vulnerabilities that massive security technologies like Microsoft have are to:

  1. Old attack methods that have fallen out of vogue and are therefore not accounted for when designing the security scan
  2. Cutting edge attack methods that have never been seen before and therefore can not be accounted for when designing the security scan

This attack is a clear example of the first type (while BaseStriker is a good example of the second), as it probably got through due to an update of Microsoft's security capabilities, which excluded the outdated .ace file off as a potential threat given the outdated nature of the attack style. This is a similar mindset to those who do not think vaccinating for smallpox is important because they haven't seen a case of smallpox in decades. But experience shows that it is important to vaccinate against smallpox and it is important to scan for malicious .ace files.

Note: As of our most recent tests, Microsoft is now protecting against these attacks.