Matthew Gardiner

by Matthew Gardiner

Director of Enterprise Security Campaigns

Posted Sep 19, 2018

There’s a new phishing attack targeting Office 365/SharePoint users.

Cybersecurity is a lot like an ongoing, worldwide game of chess. One side—those defending critical information, IP, money, etc.—put up defenses against attackers—those who want to steal or disrupt those valuable data—Then, the other side adjusts to those new defenses which causes a further reaction from the defenders, and on and on it goes.

It can feel like the attackers are constantly gaining the upper hand and making more of the correct chess moves to get what they want. Because in many cases they are. The latest threat impacting users of Microsoft Office 365™ feels like one of those moves, but with the right safeguards in place, there is hope for the good guys.

Security researchers recently discovered a new type of phishing attack against Office 365 called “PhishPoint.” The tactic was outlined in this Redmond Media post last week. This type of attack bypasses many typical methods of defense and can prove especially insidious against unsuspecting users.

What is “PhishPoint?”

Here’s how this phishing attack works: a target gets an email with a link to access a SharePoint document, the type of message Office 365 users receive everyday if their organization uses SharePoint.

The problem here is this email hyperlink is a fake. Users get duped into clicking the URL to access the file, but what opens is a spoofed landing page where the target is directed to provide their Office 365 login credentials. This is how the attacker can get access to critical systems, by stealing are users login credentials.

While this may seem like a standard phishing scam, there’s more to the story: these attacks are originating from legitimate Office 365 free trial accounts. The SharePoint documents are real documents and are themselves not malicious and thus can bypass malware detection.

Why is Office 365/SharePoint Used for Phishing?

Attackers are taking advantage of—and using—cloud services like Google and Office 365 to host their attacks. They do this because these services are highly-trusted and are extensively used for legitimate purposes and thus can’t be blocked out-of-hand.

Making it even easier and cost-effective for the attacker, many of these services provide free access to trial accounts with little or no identity verification or background checks. So, not surprisingly they are becoming a strong draw for attackers – easy to get and hard to detect.

How Can Organizations Fight Back?

All is not lost. There are a number of techniques email security providers can do to detect and stop these types of attacks, such as using pattern detection, URL structure analysis and advanced malware inspections, such as static file analysis and behavioral sandboxing to detect and block them.

In addition, user security awareness training continues to be a key element of a strong defense. Ensuring your users are educated and know the right things to look for when accessing or sharing sensitive information is an important way to fight back as well.

In this particular case, it may be good practice to remind users not to click on any SharePoint requests unless they are fully aware of where it’s coming from and that receiving it makes sense.

The game of chess between the good guys and the bad guys continues, as it has and will for many years to come.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

Matthew Gardiner

by Matthew Gardiner

Director of Enterprise Security Campaigns

Posted Sep 19, 2018

You may also like:

Azure/Office 365 Outages: The IT Admin's Guide to Continuity

A major outage in the US takes down a ke…

A major outage in the US takes down a key Microsoft datacent… Read More >

J.Peter Bruzzese

by J.Peter Bruzzese

Office 365 MVP

Posted Sep 06, 2018

How Should You Address the Gaps in Office 365™?

The email features in Office 365 may not…

The email features in Office 365 may not be all you need. Bu… Read More >

Jake O'Donnell

by Jake O'Donnell

Global Editorial Content Manager

Posted Sep 03, 2018

How Quickly Will You Recover from A Cyber Attack?

Cyber resilience shifts focus from just …

Cyber resilience shifts focus from just preventing an attack… Read More >

Garrett O'Hara

by Garrett O'Hara

Principal Technical Consultant

Posted Mar 01, 2018