Attackers are now using more “interesting” platforms and methods to gain access to our networks, especially with cloud platforms. OneDrive, OneNote, SharePoint, and Sharefile can all host malicious files. Google and Amazon Web Services (AWS) also can host malicious sites. Repositories such as GitHub have recently been used to launch ransomware attacks.
Sites like these appeal to attackers because we trust them and tend to be less paranoid about the links they deliver. Until recently it took a long time to remove malicious files from these locations. In the last few weeks, Microsoft has removed Office 365 locations from the top 15 malware sites as noted on URLHaus.
Can you block such locations without causing issues with business needs at the firm? Some employees should have no need to go to certain sites, but others will have these needs. Depending on your organization you may wish to set up your browsing protections such that only specific websites needed for business are allowed for browsing. Others may need to set up a nuanced approach whereby only some users are allowed to have full access for internet locations and others are more restricted.
Network administrators cannot blindly block Microsoft 365, Google or AWS locations as businesses depend on them, but you should ensure that there are no exclusions or exceptions in your antivirus platforms or your firewall/unified threat management solutions that would lessen the ability to protect your network.
Setting up alerts for disabled antivirus software
Attackers will often try to disable your antivirus software to avoid detection. If a local administrator account is compromised or the attacker has used vulnerabilities to gain access in your network, they can then silently disable Defender. You should review your configurations to determine if you would be alerted if antivirus protection were disabled.