Cloud CRM provides a rich collaborative environment for distributed teams to share process files with internal users as well as external partners. For this reason, cloud CRM services are widely used to store an organization’s most critical customer data and deliver the data to corporate users via the web and native ecosystem applications. While this rich collaborative environment provides an efficient platform for CRM, it also provides a rich environment for attacks to propagate. Netskope Threat Research Labs has observed this cloud CRM vector being used to spread Locky ransomware via a Microsoft Office feature called Dynamic Data Exchange (DDE).
Cloud CRM enables external partners to interact with internal users seamlessly. This can happen via exposing Cloud CRM workflows to the external partners via email portals, or via shared workflow elements directly. Additionally, the growth of interconnected cloud services provides new paths for malicious files to make their way into cloud CRM services. For example, several popular services integrate with cloud storage services such as Box, Dropbox, and Microsoft Office 365 OneDrive for Business, as well as collaboration services such as Slack. While each of these is an asset to a collaborative workplace, it is also an infection vector for malware. Once inside the Cloud CRM service, malware is delivered to unsuspecting users via the implicit CRM workflows and collaboration features.
The delivery of malware from Cloud CRM services typically begins with the initial step of uploading malicious files into the Cloud CRM service. There are many ways in which malicious files make their way into these services. An enterprise user operating on an unmanaged and insecure device could upload files as attachments to the CRM service. Many enterprises provide their vendors and partners access to their CRM services for uploading documents such as invoices, purchase orders, etc. (and often these happen as automated workflows). The enterprise has no control over the vendor or partner device and, most importantly, over the files being uploaded from them. In many cases, vendor or partner-uploaded files carry with them a high level of implicit trust and are acted on urgently.
This causes externally vetted files to be entered into the collaborative stream. Once these files are shared in cloud CRM services, they are typically treated as vetted documents created by members of the workflow meant for consumption by all users. Either the sales organization users or other users involved in the customer relationship process will open these files believing to be associated with a sales engagement or as per the CRM workflow. Couple this with recurring attack filenames, such as Invoice*.doc, or Purchase_Order*.doc, and the stage is set for an infection.
Cloud CRM Attack Flow
Figure 1: Cloud CRM propagation network
In this example attack, a malicious file named Invoice_file_68169.doc was received by the initial victim and uploaded to the user’s CloudCRM system. This may have been done by the user manually, or by automated systems that import selected emails into collaborative systems. This Invoice_file_68169.doc attack file is all the more deadly as it uses the recent DDE attack to infect vulnerable users.
One this Invoice_file_68169.doc file is in the Cloud CRM system, all peers and partners in the workflow will assume that the initial victim created the file and it needs to be further processed. Many will open the document in an attempt to act on the invoice.
Once this occurs, it displays two warning messages to the victim. The first warning says the document contains linked files as shown in Figure 2.
Figure 2: First warning message stating document contains linked files.
The document then displays a second warning message asking to start the command line applications as shown in Figure 3.