The attack dubbed “PhishPoint” by Cloud Security vendor Avanan demonstrates the craftiness and extent cybercriminals will go to in order to harvest Office 365 credentials.
I’ve shared about how context can be a major influencer in the success of any attack. This latest attack uses several familiar aspects of Office 365 to lull potential victims into an assumption everything is above board.
Here’s how the PhishPoint attack works, according to Avanan:
- The user receives the malicious email – They confirm there is often the use of URGENT or ACTION REQUIRED to instill a sense of immediacy to respond. The email contains a link to a SharePoint Online-based document.
- The link directs to SharePoint – Attackers are using true-to-form SharePoint Online-based URLS, which adds credibility and legitimacy to the email and link, since the user is being directed to a known-good hosting site.
- Users are shown a OneDrive prompt – The SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an “Access Document” hyperlink that is actually a malicious URL, as shown below.
- Users are presented with an Office 365 logon screen – Here is where the scam takes place. Using a very authentic-looking logon page where the cybercriminals harvest the user’s credentials.
What makes this attack so evil is that even Microsoft didn’t see this one coming. While they scan emails for suspicious links and attachments, a link to their own SharePoint Online wouldn’t be considered malicious. And, since Microsoft isn’t scanning files hosted on SharePoint, they left attackers with an easy means to utilize the very platform on which theoh y are trying to con users of their credentials.
Users stepped through Security Awareness Training have a better chance of spotting the telltale signs of malice. In this specific scam, several factors stood out:
- The email was unsolicited and had a generic subject of “<person> has sent you a OneDrive for Business file”
- Opening the document required several user-initiated steps
- The URL for the logon page wasn’t on the office365.com domain
This scam represents the risk associated with cloud-based applications. Using context and services users are familiar with, scammers can take advantage of the lowered level of alertness and gain access to corporate resources online – all without the organization ever knowing.
Cyber-attacks are rapidly getting more sophisticated. GDR Group will help train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now and email firstname.lastname@example.org to request a quote for Security Awareness Training and Phishing Testing for your organization.