Office 365 Phishing Campaign Uses SharePoint Collaboration Request as Lure

A single Office 365 username/password combination can give a hacker access to a vast quantity of sensitive information. Information detailed in emails can be of great value to competitors, identity thieves, and other fraudsters.

Office 365 credentials also give hackers access to cloud storage repositories that can contain highly sensitive business information and compromised accounts can be used to distribute malware and conduct further phishing campaigns on an organization’s employees and business contacts.  

With the potential rewards for a successful phishing attack so high, and a high percentage of businesses using Office 365 (56% of all organizations globally in 2018) it is no surprise that hackers are conducting targeted attacks on businesses that use Office 365.

Office 365 Phishing Campaign Uses SharePoint Collaboration Request as Lure

A recent report from Kaspersky Lab has highlighted an Office 365 phishing campaign that has proven to be highly effective. The campaign was first identified in August 2018 and is still active. Kaspersky Lab estimates that as many as 10% of all businesses using Office 365 have been targeted with the scam.

The campaign has been dubbed PhishPoint, as it uses a SharePoint collaboration request to lure employees into disclosing their Office 365 credentials. The emails are credible, the hyperlink appears to be genuine, the method used to obtain Office 365 login information is unlikely to arouse suspicion, and the campaign is able to bypass Office 365 anti-phishing protections.

Emails are sent to Office 365 users requesting collaboration. The emails contain a genuine link to OneDrive for Business, which directs users to a document containing an “Access Document” link at the bottom. Since the hyperlink directs the user to a genuine document in OneDrive for Business, it is not recognized as a phishing email by Office 365.

If the user clicks the link he/she will be redirected to an Office 365 login page on a website controlled by the attacker. The login page looks identical to the genuine login page used by Microsoft; however, any credentials entered on the site will be captured by the attacker.

Protecting Against Office 365 Phishing Attacks

Protecting against Office 365 phishing campaigns requires a defense in depth approach. Microsoft’s Advanced Threat Protection should be implemented to block phishing emails and prevent them from reaching inboxes, although this campaign shows that APT controls are not always effective. A better option is to use a spam filtering/anti-phishing solution that looks deeper than the URL and analyzes the page/document where users are directed.

Endpoint protection solutions offer further protection against phishing attacks and web filters can be used to prevent users from visiting phishing websites. However, these technical solutions are not infallible.

New scams are constantly being developed by cybercriminals that bypass anti-phishing defenses. Employees therefore need to be trained how to identify phishing emails and should be taught cybersecurity best practices. Through regular training, employees can be conditioned how to respond to email threats and can be turned into a strong last line of defense.

Author: NetSec Editor