I saw this exploit on LinkedIn and its fairly troubling.  Essentially if a user accepts a Third Party Add In to Outlook and grants it the right permissions, the hacker can encrypt their email and hold it for ransom.  Here is the video that demonstrates the exploit.

There have been two proposed solutions to the exploit.  The first is to disable Integrated Apps in O365 (link).  The second is to turn off user consent for Integrated Apps (link), or to only allow certain users to install apps (link).  To me, none of those are good solutions as they essentially take away the benefits that we can gain from the use of Integrated Apps.

Good news, Microsoft does provide Admins with some decent tools in this area.  If you own EM-S E5 licenses then you can use their Cloud App Security product to see what apps are actually accessing on your tenant and what is potentially an issue.  To accomplish this you first need to create an App Discovery Report using Cloud App Security (link).  Once you have that report you can use the Cloud App Discovery Dashboard to actually see how people are using your apps and what potential vulnerabilities exist (link).  The Dashboard will not only inform you of potentially harmful apps, it will also allow you to ban them or revoke permissions as needed.

Screen shot of Cloud App Security Dashboard showing who is using Apps, and their security impact to your organization

This option gives admins the correct control over Integrated Apps, while still allowing our users to use Apps that will increase their productivity.  Yes, you need the EM-S E5 license, but increasingly I am of the opinion that is becoming a “cost of doing business” as opposed to a “nice to have” option.  When you factor in the malicious link protection that would have prevented this exploit from affecting you in the first place…well, as Microsoft says, we all have that one employee who will click on ANYTHING.


Forgot to include the link to the video showing the exploit. https://www.youtube.com/embed/VX59Gf-Twwo