PhishPoint: Office 365 Latest Phishing Attack

The attack dubbed “PhishPoint” by Cloud Security vendor Avanan demonstrates the craftiness and extent cybercriminals will go to harvest Office 365 credentials. This latest attack uses several familiar aspects of Office 365 to lure potential victims into assuming it's legit. 

Here’s how the PhishPoint attack works:

1.  The user receives the malicious email –The email contains a link to a SharePoint Online-based document. The email creates a sense of urgency as most other phishing attacks.

2.  The link directs to SharePoint – Attackers are using true-to-form SharePoint Online-based URLS, which adds credibility and legitimacy to the email and link, since the user is being directed to a known-good hosting site.

3.  Users are shown a OneDrive prompt – The SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an "Access Document" hyperlink that is actually a malicious URL, as shown below.

4.  Users are presented with an Office 365 logon screen – Here is where the scam takes place. Using a very authentic-looking logon page where the cybercriminals harvest the user’s credentials.

PhishPoint marks an evolution in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-users' credentials for Office 365.

Essentially, hackers are using SharePoint files to host phishing links. By inserting the malicious link into a SharePoint file rather than the email itself, hackers bypass Office 365 built-in security. While this security flaw has since been resolved, these instances are constant reminders that scam artists are constantly looking for new ways to penetrate your business.

How to Protect Yourself

Like many of the phishing instances we've discussed and seen, these attacks are designed to be visually indistinguishable from work-related emails that appear safe.

• Be skeptical of any email subject line that capitalizes buzzwords for workplace stress, like URGENT or ACTION REQUIRED.
• Be suspicious of URLs in the body of the email.
• When presented with a login page, look at the URL to see if it is actually hosted by the service it is asking you to log into. 
• If you receive an unexpected or uncharacteristic email from someone at your organization, contact them to ensure they actually sent it.
• Activate Multi-Factor Authentication to secure your accounts on software platforms.

At IT Solutions we have a number of processes in place to keep your data safe from attacks like this. If you're interested in learning about our advanced security package, talk to your vCIO or contact us today.