SharePoint Files Used to Harvest Office 365 Credentials

A phishing campaign termed PhishPoint uses SharePoint files to steal users’ Office 365 credentials.

Huge numbers of phishing emails are being sent to businesses that appear to be invitations to collaborate. Users are required to click the URL embedded in the email, which ultimately directs them to a malicious site where they are required to enter their Office 365 credentials. Those credentials are then captured by the attackers.

The phishing campaign was detected by cybersecurity firm Avanan. Avanan reports that approximately 10% of its Office 365 customers have received the emails, and the cloud security platform provider believes that the same percentage applies to all global users of Office 365.

The phishing emails are similar to those used in Dropbox and Google Docs phishing scams.In this case the emails appear to contain a OneDrive for Business file and the email messages are short and to the point. They simply contain a link with the text Open Document, and a sentence asking recipients to get in touch if they have any questions. The messages are signed with full contact details.

Click the link and a SharePoint file will be automatically opened. This generates a standard OneDrive for Business access request that includes a link to click to access the document. Clicking that link will take the user to a phishing webpage which appears to be a standard Office 365 login page. The page is spoofed and entering Office 365 credentials will pass them to the attacker. Since the user is then directed to a genuine website, they are unlikely to realize that they have been phished and their credentials have been compromised.

This method of attack bypasses Microsoft’s phishing controls as the link to the phishing website comes later in the attack. Microsoft just sees a link to an actual SharePoint document and fails to recognize it as suspicious.

While the standard advice of never clicking links in emails from unknown senders could protect users against these attacks, it is often not that simple. Businesses often receive emails from unknown individuals containing genuine requests such as purchase orders.

Care should certainly be taken when opening any email. Before any requested action is taken the email should be assessed for irregularities. In this attack, the point where it becomes obvious that this is a phishing attack is when the user is asked to enter their Office 365 credentials. A check of the domain name at this point will reveal all is not as it seems. It is not hosted on the service that it claims to be part of. If the domain is not checked, the end user will fail to realize that this is a phishing attack and their Office 365 credentials will likely be disclosed.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of