PhishPoint: How to Tackle the Latest Office 365 Threat

Cybersecurity is a lot like an ongoing, worldwide game of chess. One side—those defending critical information, IP, money, etc.—put up defenses against attackers—those who want to steal or disrupt those valuable data—Then, the other side adjusts to those new defenses which causes a further reaction from the defenders, and on and on it goes.

It can feel like the attackers are constantly gaining the upper hand and making more of the correct chess moves to get what they want. Because in many cases they are. The latest threat impacting users of Microsoft Office 365™ feels like one of those moves, but with the right safeguards in place, there is hope for the good guys.

Security researchers recently discovered a new type of phishing attack against Office 365 called “PhishPoint.” The tactic was outlined in this Redmond Media post last week. This type of attack bypasses many typical methods of defense and can prove especially insidious against unsuspecting users.

What is “PhishPoint?”

Here’s how this phishing attack works: a target gets an email with a link to access a SharePoint document, the type of message Office 365 users receive everyday if their organization uses SharePoint.

The problem here is this email hyperlink is a fake. Users get duped into clicking the URL to access the file, but what opens is a spoofed landing page where the target is directed to provide their Office 365 login credentials. This is how the attacker can get access to critical systems, by stealing are users login credentials.

While this may seem like a standard phishing scam, there’s more to the story: these attacks are originating from legitimate Office 365 free trial accounts. The SharePoint documents are real documents and are themselves not malicious and thus can bypass malware detection.

Why is Office 365/SharePoint Used for Phishing?

Attackers are taking advantage of—and using—cloud services like Google and Office 365 to host their attacks. They do this because these services are highly-trusted and are extensively used for legitimate purposes and thus can’t be blocked out-of-hand.

Making it even easier and cost-effective for the attacker, many of these services provide free access to trial accounts with little or no identity verification or background checks. So, not surprisingly they are becoming a strong draw for attackers – easy to get and hard to detect.

How Can Organizations Fight Back?

All is not lost. There are a number of techniques email security providers can do to detect and stop these types of attacks, such as using pattern detection, URL structure analysis and advanced malware inspections, such as static file analysis and behavioral sandboxing to detect and block them.

In addition, user security awareness training continues to be a key element of a strong defense. Ensuring your users are educated and know the right things to look for when accessing or sharing sensitive information is an important way to fight back as well.

In this particular case, it may be good practice to remind users not to click on any SharePoint requests unless they are fully aware of where it’s coming from and that receiving it makes sense.

The game of chess between the good guys and the bad guys continues, as it has and will for many years to come.