eDiscovery Daily Blog

New Phishing Scam Goes After Office 365 Users: Cybersecurity Trends

According to a recent blog post, there’s a new phishing campaign where the scammers are taking advantage of a small, but serious oversight in Microsoft’s Office 365 suite of online services to serve phishing emails that are visually indistinguishable from work-related emails and appear completely safe.  This new attack has impacted an estimated 10% of Office 365 users worldwide.

As reported in Bitdefender (The Underrated Importance of Training Your Staff to Spot Devious Phishing Attacks, written by Filip Truta, and covered by Sharon Nelson’s excellent Ride the Lighning blog), PhishPoint, as the campaign is dubbed, has a variant that most other phishing scams don’t: it goes beyond email and uses SharePoint to harvest end-users’ credentials.

Here is how the PhishPoint scam works:

  • Victim receives email containing a link to a SharePoint document
  • Email body is identical to a standard SharePoint invitation to collaborate
  • Victim clicks the hyperlink in the email thinking it is a legitimate work document
  • Victim’s browser automatically opens a SharePoint file
  • SharePoint file impersonates a standard access request to a OneDrive file
  • Victim clicks on “Access Document” hyperlink that leads to a spoofed Office 365 login screen
  • Victim attempts to login, at which point their credentials are harvested by the PhishPoint authors

Exploited properly, the scam can easily lead to a catastrophic data breach. While Microsoft’s link-scanning security layer does sniff out malicious links in the body of an email, it does not scan the links inside a linked SharePoint document. Even if it did, it still couldn’t blacklist a malicious URL inside the document without blacklisting links to all SharePoint files. Researchers feel this is a dangerous oversight.

Stolen corporate domain usernames and credentials are in high demand on the dark web and underground specialized forums. As more and more organizations are moving to cloud-based solutions, phishers themselves are adjusting their techniques to steal credentials via existing attack tools, such as phishing kits.

These phishing kits are usually stored on legitimate-but-compromised websites and are linked to in generic communication. Fake invitations to files hosted on SharePoint Online, outstanding payments for Office 365 subscriptions, or notices of upcoming account termination are the most common lures used to persuade victims into giving away their credentials. And since the messages aren’t branded with visual identities of specific companies, these campaigns likely target a wide pool of organizations, not just a few select companies.  Some of the phishing kits even have their own defense mechanisms that enable them to fly under the radar and avoid blacklisting.

The post also provides several recommendations to avoid getting caught by phishing scammers, including hovering with your mouse cursor over the hyperlink to make sure the link is actually the site it claims to be, being wary of any unsolicited or uncharacteristic requests to input your credentials and using two-factor authentication on every site that offers it, among others.

These phishing scammers can be very clever and can even mimic people from within your own organization to make you think you’re clicking on a link provided by a co-worker.  One thing we have done at CloudNine to help identify those is to mark any emails coming from an external source with an “*** External Email ***” marker inserted into the received email to help recipients identify those phishing instances.  The battle against malware scammers continues.

So, what do you think?  Do you have any mechanisms your organization uses to spot phishing attempts that you would like to share?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.