SharePoint Files Utilized to Collect Office 365 Identifications

August 21, 2018

A phishing campaign called PhishPoint utilizes SharePoint files to steal users’ Office 365 identifications.
Huge numbers of phishing electronic mails are being sent to companies that seem to be offers to cooperate. Users are needed to click the URL embedded in the electronic mail, which eventually directs them to a malevolent site where they are needed to enter their Office 365 identifications. Those identifications are then taken by the attackers.
The phishing campaign was noticed by cybersecurity company Avanan. Avanan informs that roughly 10% of its Office 365 clients have received the electronic mails, and the cloud safety platform supplier believes that the same proportion applies to all international users of Office 365.
The phishing electronic mails are similar to those used in Dropbox and Google Docs phishing scams. In this instance, the electronic mails seem to have a OneDrive for Business file and the electronic mail messages are short and to the point. They just contain a link with the text Open Document, and a sentence asking receivers to get in touch if they have any queries. The messages are signed with complete contact details.
Click the link and a SharePoint file will be automatically opened. This creates a standard OneDrive for Business access request that includes a link to click to access the document. Clicking that link will take the user to a phishing webpage which seems to be a standard Office 365 login page. The page is tricked and entering Office 365 identifications will pass them to the attacker. As the user is then directed to an actual website, they are unlikely to realize that they have been phished and their identifications have been undermined.
This method of attack evades Microsoft’s phishing controls as the link to the phishing website comes later in the attack. Microsoft just sees a link to an actual SharePoint document and fails to identify it as doubtful.
While the standard guidance of never clicking links in electronic mails from strange senders might safeguard users against these attacks, it is often not that simple. Companies often receive electronic mails from strange people containing genuine requests such as purchase orders.
Care should definitely be taken when opening any electronic mail. Before any requested action is taken the electronic mail must be assessed for irregularities. In this attack, the point where it becomes clear that this is a phishing attack is when the user is asked to enter their Office 365 identifications. A check of the domain name at this point will disclose all is not as it appears. It is not hosted on the service that it claims to be part of. If the domain is not checked, the end user will fail to realize that this is a phishing attack and their Office 365 identifications will likely be exposed.