Ride the Lightning

New Phishing Attack Impacts 10% of Office 365 Users

August 23, 2018

Bitdefender published a blog post on August 16th describing a new phishing campaign. Scammers are taking advantage of a small, but serious oversight in Microsoft's Office 365 suite of online services to serve phishing emails that are visually indistinguishable from work-related emails and appear completely safe. This new threat highlights the importance of training your employees to deal with cyber threats, as part of your organization's cybersecurity strategy.

Researchers said the phishing attack has impacted an estimated 10% of Office 365 users worldwide. PhishPoint, as the campaign is dubbed, has a variant that most other phishing scams don't: it goes beyond email and uses SharePoint to harvest end-users' credentials.

Here is how PhishPoint works:

• Victim receives email containing a link to a SharePoint document
• Email body is identical to a standard SharePoint invitation to collaborate
• Victim clicks the hyperlink in the email thinking it is a legitimate work document
• Victim's browser automatically opens a SharePoint file
• SharePoint file impersonates a standard access request to a OneDrive file
• Victim clicks on "Access Document" hyperlink that leads to a spoofed Office 365 login screen
• Victim attempts to login, at which point their credentials are harvested by the PhishPoint authors

Exploited properly, the scam can lead to a catastrophic data breach. While Microsoft's link-scanning security layer does sniff out malicious links in the body of an email, it does not scan the links inside a linked SharePoint document. Even if it did, it still couldn't blacklist a malicious URL inside the document without blacklisting links to all SharePoint files. Researchers say this is a dangerous oversight.

Ya think? Here are five reasons why stolen corporate usernames and passwords are so valuable on the dark web. Bad actors can:

• Carry elaborated phishing attacks against the company's top management
• Carry advanced money transfer schemes to convince financial departments to wire large sums of money (i.e. CEO impersonation)
• Lurk on the company's e-mail server for any confidential information that can be monetized later
• Log into the company's network via Remote Desktop Protocol instances and infect the company with ransomware or other advanced threats
• Segment stolen credentials by the specific of the company and then resell these credentials to cybercrime groups targeting a specific vertical

The post includes some good training tips. Read up – and be safe out there!

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson