SharePoint Online Phishing Attacks on Office 365 users

A Microsoft Office 365 SharePoint Online Phishing attack is on the rise for stealing login credentials dubbed as PhishPoint. According to Security Affairs, this new phishing attack has already affected about 10% of Office 365 users. From a number’s perspective based on October 2017 reported number of users on Microsoft Office 365 was about 120 Million users, we suspect that has grown to about 150 Million users till date. So, 10% is about 15 Million users impacted and growing.

PhishPoint is a unique attack because it bypasses the built-in security protection of Microsoft Office 365 by inserting malicious links into SharePoint documents. While the body of the email message looks identical to a standard SharePoint invitation. The content of the file impersonates a standard access request to a OneDrive file, and an access document button on the file is hyperlinked to a malicious URL. The malicious link then redirects the victim to a spoofed Office 365 login screen and ask the user to enter credentials, which is then stolen by hackers.

How the PhishPoint Attack Works  

Step 1:

First, the victim receives an email from hackers which looks identical to the standard SharePoint/OneDrive invitation, and an email contains a link to a SharePoint document.

Step 2:

After clicking the hyperlink in the email, the victim’s browser automatically opens a SharePoint file. The SharePoint file content impersonates a standard access request to a OneDrive file, with an “Access Document” hyperlink that is a malicious URL.

Step 3:

The malicious link leads to a replica of an Office 365 login page. If the user enters username and password on the login page, their credentials are hacked by the hacker.

How to protect yourself from PhishPoint attacks:

Like many phishing attacks, PhishPoint is designed to perfectly imitate aspects of the Office 365 experience to pull users into a false sense of security. Here are some best practices to protect you from PhishPoint Attacks:

  • Skeptical emails with URGENT or ACTION REQUIRED in the subject line.
  • Suspicious URLs in the body of the email.
  • On a login page, ensure the URL is hosted by the correct service provider.
  • If you receive an unexpected or uncharacteristic email from peer or superior at your organization contact them to ensure or verify that he/she sent the email.
  • One of the best ways to protect sensitive and confidential data from phishers is by using a Multi-Factor Authentication (MFA) system.
  • Use PhishPro to protect your employees from phishing emails. PhishPro helps to report illegitimate email with one easy click using the PhishPro Tracker.
  • Use PhishPro Campaign to test your employees Phishing Awareness within a safe environment; if users are exploited in the PhishPro Campaign, then it’s a right time to raise Phishing awareness in all employees through PhishPro complete security awareness training.
  • Use web filters like Repulsa. Repulsa is a web filtering solution which helps to filters and blocks any malware and malicious IP addresses.

 

Reference Links:

https://gbhackers.com/phishpoint-hackers-phishing/

https://www.helpnetsecurity.com/2018/05/18/office-365-phishing-threats/

https://threatpost.com/office-365-phishing-campaign-hides-malicious-urls-in-sharepoint-files/136525/