Phishing, Breach, Content

Microsoft Office 365 Phishing: Avanan Identifies SharePoint Attack

Cybercriminals are using a Microsoft SharePoint phishing attack, dubbed "PhishPoint," to target Office 365 end user credentials, according to cloud security platform provider Avanan.

PhishPoint targeted about 10 percent of Avanan's Office 365 customers, but the company blocked all of the attacks.

Still, other Office 365 users and partner service providers could be at risk. Avanan estimates that 10 percent of the entire Office 365 installed base -- across all users and service providers -- have been targeted by the attacks. So far, Microsoft has not commented about the alleged attacks.

What Is PhishPoint Attack?

PhishPoint enables cybercriminals to exploit Microsoft email link-scanning, which only goes one level deep, Avanan noted. Microsoft link-scanning reviews the links in an email's body, but it ignores files hosted on other Office 365 services.

With PhishPoint, hackers use SharePoint files to host phishing links, Avanan said. By doing so, they can bypass Office 365 security measures, which primarily focus on email.

During a PhishPoint attack, an Office 365 user receives an email containing a link to a SharePoint document, Avanan noted. The body of the message matches a standard SharePoint invitation to collaborate.

Next, if the user clicks on the email's hyperlink, his or her browser automatically opens a SharePoint file. The SharePoint file content impersonates a standard access request to a OneDrive file, which contains an "Access Document" hyperlink that includes a malicious URL.

The user then is taken to a spoofed Office 365 login screen. At this point, if a user attempts to log in, hackers can harvest his or her credentials.

How Can Office 365 Users Address PhishPoint Attacks?

Avanan offered the following best practices to help Office 365 users address PhishPoint attacks:

  • Be skeptical of any email subject line that capitalizes URGENT, ACTION REQUIRED or other buzzwords related to workplace stress.
  • Be suspicious of URLs present in an email's body.
  • On a login page, ensure the URL is hosted by the service provider.
  • For an unexpected email from a peer or superior, contact this individual to verify that he or she actually sent the message.
  • Use multi-factor authentication (MFA) to secure user accounts across multiple software platforms.

The aforementioned best practices can help Office 365 users identify and prevent PhishPoint attacks, but these practices are not foolproof, Avanan stated. However, organizations can partner with MSSPs, which provide cybersecurity services and support to help Office 365 users detect and block PhishPoint and other cyberattacks.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.