Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cerber Ransomware Used in Massive Attack Targeting Office 365 Users

Over the past months, ransomware has become a widespread cyber-threat aimed at enterprises and consumers alike, and a recent massive attack against Office 365 users proves that once again.

Over the past months, ransomware has become a widespread cyber-threat aimed at enterprises and consumers alike, and a recent massive attack against Office 365 users proves that once again.

The attack started on June 22 and lasted for more than 24 hours, a recent report from cloud-security firm Avanan reveals. Focused on securing Office 365, Box, Salesforce, Amazon AWS, and other cloud applications, the security firm says that this massive attack was targeting its customers that were using Office 365.

According to Avanan’s Steven Toole, the attackers were using the Cerber ransomware to infect victim’s computers, and millions of Office 365 business users were likely affected. Like many other ransomware families out there, Cerber encrypts user’s files (such as photos, videos, documents, and other file types) and demands a ransom to be paid to restore the affected files.

Cerber is spread as a malicious document attached to spam emails and uses various social engineering techniques to trick users into enabling macros in Office to allow the malicious code to run. This attack method isn’t employed by Cerber alone, though the ransomware does have its unique feature: after encryption, it plays an audio file to inform its victim of the infection. It displays a written ransom note as well.

The security firm claims that around 57 percent of organizations using Office 365 “received at least one copy of the malware into one of their corporate mailboxes” during the attack. Nevertheless, they also note that it is rather difficult to measure how many users were actually infected. The company also explains that Microsoft was able to block the malicious attachment one day after the attack started.

The Cerber ransomware was spotted for the first time back in March, and has received a series of updates to expand its functionality. The threat was observed in campaigns mainly targeting the United States, Turkey, and the United Kingdom. Additionally, it appeared to be leveraged in DDoS attacks in May, and was seen morphing every 15 seconds earlier this month, in an attempt to avoid detection.

Avanan says that the newly observed attack employed a variation of the Cerber variant observed in March, but didn’t provide additional details on it. However, the security firm did say that the ransomware “was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account.”

The security company also notes that traditional antiviruses/anti-malware applications were not able to detect this attack because it targeted cloud email program users. As part of this attack, Cerber used AES-265 and RSA encryption, which is currently unbreakable, and demanded a 1.24 Bitcoin ransom from its victims.

“Many users of cloud email programs believe they ‘outsourced’ everything to Microsoft or Google, including security,” explains Gil Friedrich, CEO of Avanan. “The reality is that hackers first make sure their malware bypasses major cloud email providers’ security measures, and so most new malware goes through cloud email programs undetected.”

Related: Ransomware Gang Made $50,000 in Weeks

Related: MIRCOP Ransomware Claims to Be Victim, Demands Payback

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.