Hunting for Office 365 accounts

January 31, 2019

Since at least last summer, unknown cybercriminals have been sending e-mails to Office 365 users, hoping to swindle credentials out of them. According to the researchers who first uncovered this attack, up to 10% of all users of the service could have received such a message.

PhishPoint campaign

The scam e-mails look like standard invitations to collaborate in SharePoint. The recipient is prompted to open a document stored in OneDrive for Business. The trick is that the link in the e-mail really does point to a document in OneDrive for Business, but this document is disguised as an access request. The “Access Document” link at the bottom of the page redirects the victim to a third-party site masked as the Microsoft Office 365 login page.

Corporate workspaces are seen as more trustworthy than other resources, and users may be under the impression that outsiders cannot readily gain access to SharePoint services, so they boldly follow the link to the scam website. If the victim enters work credentials on this site, they will become available to the owners of the file.

With these credentials, cybercriminals can potentially get hold of all of the victim’s privileges, including access to e-mail, cloud storage, and confidential business information. Hiding behind a corporate account, scammers can steal sensitive information for competitors, spread malware, or use employee names and project information for spear-phishing purposes.

The cunning part is that the mail filters check the link in the message. And it is completely clean; it points to a document in a workspace with an impeccable reputation. But on accessing this document, the user effectively leaves the jurisdiction of the mail filters, whereupon protection is in the hands of the security solution installed directly on their computer.

How to protect your business and employees

Here are some tips to increase employee vigilance and improve company security against this and similar attacks:

  • Tell staff who use Office 365 about the scheme. It’s very rare links to documents are sent on the spur of the moment, without any discussion. So before opening a document sent without any explanation, always check with the person who you think sent it.
  • View, and tell staff to view, e-mails from unknown addresses with a particularly critical eye, and follow up on suspicions.
  • Protect every employee workstation with an endpoint cybersecurity solution. This protection is vitally important to counter phishing schemes like this.