Skip to main content

How can we help you?

Search

Office 365 shell WCSS Attack

Updated: Michael Garrett Edited:

What is Office 365 Shell WCSS?

Office 365 Shell WCSS is the browser code that runs whenever a user navigates to (most) Office365 applications in the browser. The shell, also known as the suite header, is shared code that loads as part of almost all Office365 workloads, including SharePoint, OneDrive, Outlook, Yammer, and many more.

 

Definition of an Office 365 shell WCSS attack

An Office 365 shell WCSS attack is one that targets Microsoft Office 365 to gain access to a user's account by bypassing standard authentication challenges. The exploit allows the attacker to gain access to a users account without knowing the user name or password, and will even bypass accounts that are configured for MFA. The exploit is made possible by the harvesting of a legitimate Microsoft 365 session Token which can occur when the account owner clicks a link provided by the attacker (typically a Phishing email).  The token may also be acquired by the attacker if malware is successfully installed on the device.   Once the attacker has the token, they can log into the account and perform any action permitted by the account.

To help prevent a WCSS shell attack:

  1. Train users to NEVER click on a link or document unless they were expecting it from a trusted party
  2. Configure Microsoft 365 to expire user session tokens frequently by establishing a low idle session timeout value. 

    Screenshot_2023-02-02_at_5.25.31_PM.png

  3. Turn off the optional prompt for users to "keep me signed in" to Microsoft 365 (custom branding configuration required).
  4. Set sign in frequency controls using conditional access (if available to the tenant)
    https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime
  5. Ensure that admin accounts are never left logged in an unattended 
  6. Audit guest accounts regularly and remove old and unused accounts
  7. Keep Web browsers (Chrome, Edge, Firefox, etc.) up to date.
  8. Ensure that local Office 365 applications are updated regularly.

To help mitigate the consequences of a successful WCSS shall attack:

  1. Limit user permissions to the lowest required roles 
  2. Monitor and restrict access to sensitive data and resources to only those accounts that require access as part of their job function
  3. Regularly review and update security policies, including email filtering and data retention policies.
  4. Monitor user account activity for email forwarding, excessive document downloads or deletions and excessive file sharing.
  5. Using SaaS Alerts Respond, establish rules that will expire tokens and disable sign in when  suspicious account behavior is detected. Especially when suspicious behavior is recognized by account usage from outside approved geolocations.

 

Additional KB article regarding Token Safety.

Primary Refresh Token

Additional Articles related to WCSS 

What is Office 365 Shell WCSS-Client?

"O365 Suite EX" and "Office365 Shell WCSS-Client" Compromised

Multiple Failed SignIn Events

 

 

 

Was this article helpful?
1 out of 1 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.