A new Office 365 phishing scam has been detected that attempts to get users to part with their Office 365 credentials with a request for collaboration via SharePoint. These collaboration requests spoofing SharePoint are becoming more common.
The SharePoint spoofing campaign was first detected in the summer of 2018 by researchers at cybersecurity firm Avanan. The Office 365 phishing scam is ongoing and has proven to be highly effective. According to Kaspersky Lab, the phishing campaign has been used in targeted attacks on at least 10% of companies that use Office 365.
This Office 365 phishing scam abuses trust in SharePoint services that are often used by employees. An email is sent to an Office 365 user that contains a link to a document stored in OneDrive for Business. In contrast to many phishing campaigns that spoof links and fool users into visiting a website other than the one indicated by the link text, this link actually does direct the user to an access request document on OneDrive.
A link in the document then directs users to a third-party website where they are presented with a Microsoft Office 365 login page that is a perfect copy of the official Office 365 login page. If login credentials are entered, they are given to the scammers. Once obtained, it is possible for the scammers to gain access to the Office 365 account of the user, including email and cloud storage.
The email accounts can be used for further phishing campaigns on the user’s contacts. Since those messages come from within the organization, they are more likely to be trusted. Email accounts can also contain a wealth of sensitive information which is of great value to competitors. In healthcare, email accounts can contain patient information, including data that can be used to steal identities. The attackers can also use the compromised credentials to spread malware. Employees may know not to open attachments from unknown individuals, but when they are sent from a colleague, they are more likely to be opened.
Businesses that use Microsoft’s Advanced Threat Protection (APT) service may mistakenly believe they are protected from phishing attacks such as this. However, since the links in the email are genuine OneDrive links, they are not identified as malicious. It is only the link in those documents that is malicious, but once the document is opened, Microsoft’s APT protection has already been bypassed.
Finding Office 365 users is not difficult. According to a 2017 Spiceworks survey, 83% of enterprises use Office 365 and figures from 2018 suggest 56% of organizations globally have adopted Office 365. However, a basic check can easily identify Office 365 users as it is broadcast on public DNS MX records. If one user can be found in an organization, it is highly likely that every other user will be using Office 365.
Businesses can take steps to avoid Office 365 phishing scams such as this.
- Ensure that all employees are made aware of the threat from phishing, and specifically this Office 365 phishing scam. They should be told to exercise caution with offers to collaborate that have not been preceded by a conversation.
- Conduct phishing email simulations to test defenses against phishing and identify individuals that require further security awareness training.
- Activate multifactor authentication to prevent stolen credentials from being used to access Office 365 accounts from unknown locations/devices.
- Change from APT anti-phishing controls to a third-party spam filter such as SpamTitan. This will not only improve catch rates, it will also not broadcast that the organization uses Office 365.
- Use an endpoint protection solution that is capable of detecting phishing attacks.
- Implement a web filter to prevent users from visiting known phishing websites and other malicious web pages.
Office 365 Phishing Scam Uses SharePoint Lure FAQ
How does a spam filter block social engineering attacks?
Spam filters use real-time block lists to block known sources of spam, greylisting to identify new spam sources, and SPF and DMARC to identify email impersonation attacks. Message content is checked for common signatures of phishing and social engineering attacks. Each message is assigned a score. If a threshold is reached, the message is quarantined or blocked.
What are the main anti-phishing solutions?
A spam filter is the most important anti-phishing solution to prevent phishing and other malicious messages from reaching inboxes. A web filter is important for preventing end users from visiting malicious websites, and end user training and phishing simulations to condition the workforce to recognize threats. Multi-factor authentication is also important to prevent compromised credentials from being used to access accounts.
Why do I need a third-party spam filter for Office 365?
The default Office 365 spam filter is effective at blocking spam email and known malware, but is far less effective at blocking phishing, spear phishing, and zero-day attacks. A more advanced spam filter is required to block these dangerous email threats. SpamTitan uses dual antivirus engines and sandboxing for malware protection, URLs are checked against blacklists of known spam and phishing sources, greylisting for detecting new spam sources, and SPF and DMARC for identifying email impersonation attacks.
Can antivirus software stop phishing attacks?
Antivirus software is concerned with preventing viruses, malware, and ransomware from being downloaded or executed on a device. Phishing attacks are usually concerned with obtaining sensitive information such as login credentials, and antivirus software will not block these attacks. A spam filter protects against phishing by analyzing message headers, content, and embedded hyperlinks to identify phishing and spear phishing emails and prevent them from being delivered.
Is spam filtering software expensive?
Spam filtering software offers exceptional value for money as it blocks email threats that could easily result in a costly data breach or malware infection. The cost of spam filtering software is typically a few dollars per user per year. To find out how much an advanced spam filter is likely to cost, use our cost calculator or contact the sales team for a no obligation quote.