Every year I review several annual threat reports by different companies who excel in the area of Cybersecurity. The reports from Verizon, Microsoft, Cisco, and SonicWall are some of my favorites to read as they provide a lot of great indicators of how attackers have and continue to shift their targets and strategies. It is very interesting to see the independent analysis of such large sets of signals by four very different companies with unique data sets, only to see very similar trend lines.
I recently viewed the SonicWall 2021 Threat Report presentation that was released on April 1, 2021. As always, SonicWall did a fantastic job in the presentation of their global Cybersecurity related data. One of the most striking numbers I heard during the presentation was how they identified a 67% increase over the previous year in the number of malicious files being passed as Microsoft Office files. For every malicious file SonicWall identified, nearly 1 in 4 of those files was in the Microsoft Office Format. The other 75% of malicious files were Scripts, PDFs, Exe, Archive, and other file formats. Because Microsoft Office is used by over 200 million people on the planet every day, it is an extremely large target for attackers to focus on.

SonicWall offers a fantastic security service with their firewalls and are continuing to expand in terms of services and innovative products. I have been setting up their firewalls for companies for over 15 years and love them. More recently, SonicWall has expanded into cloud capturing services such as their Advanced Threat Protection product that will scan files as they are in email transit to also including it in their Capture Client where files are scanned just before the user is allowed to open it. These are the areas where SonicWall has reported seeing the large increase in identified files using the Office 365 format.
During the presentation, I enjoyed hearing the pitch about SonicWall’s Capture ATP service to help identify malicious files. But one additional capability I need to call out that also provides this capability is one that is now built into Microsoft Office 365 products. That is the ability to scan files at the same time the file is opened by the Microsoft Defender Advanced Threat Protection (ATP) service. The difference is that the file is actually opened in a Read Only mode so the user can start reviewing it instead of waiting for a scan and then delivery. The scan typically takes seconds to complete, but in a world spinning as ours often seems to run, every second seems to matter.
To illustrate this built in capability in Microsoft Word, today when a file is received as an attachment in email, a banner is added to the top of the screen indicating the file is being opened in the Protected View. The user must click on Enable Editing to change this mode to a standard edit format.

Using the new Safe Documents feature in Office 365, users instead will see this message:

If the file is found to be malicious by Microsoft Defender ATP, users will see the message below. Although infected, the user is allowed to review the important file, while the file remains in a read only status that the user cannot modify.

If the file is found to be non-malicious, the notification bar will be removed and the user can proceed in an edit mode.
To enable Safe Attachments, a policy must be defined and assigned to users. To setup this great feature as an added level of security please see this article. If you would like to review the SonicWall 2021 Cybersecurity Report, sign up using this site. To view the entire presentation, see the recording in this location.