How to defend Office 365 from spear-phishing attacks
A recent Windows Defender Advanced Threat Protection (ATP) alert described an Adobe Flash zero-day vulnerability (CVE-2018-15982) that was used in a spear-phishing attack against a medical institution in Russia. Adobe released a patch on December 5, 2018. This vulnerability and attack sequence highlighted a number of mitigations that you can use to block such attacks.
The attack started with a spear-phishing campaign. In this instance, the spear-phishing email consisted of a RAR archive file containing two files. The first was a lure document. The second was a another RAR archive file disguised as a .jpg file.
When the user opened the document, an embedded Active X Flash control was activated. The control then ran a command script that unzipped the archive file and ran the payload. A scheduled task was created to start a backdoor whenever the user logged in. It collected system information and then uploaded it to a hard-coded command-and-control IP address every five minutes. The backdoor was set to be able to receive instructions that could be loaded into memory.
You can mitigate this threat in several ways, and you can detect if your email account has been compromised. Enable Windows Defender System Guard to turn on hardware-based isolation. Enable cloud-delivered protection and automatic sample submission in Windows Defender Antivirus. This allows machine learning to detect new variants.