New Hacking Technique Used to Bypass Microsoft Office 365 Security
Over 10% of Office 365 users have been affected in the last two weeks by a phishing attack named PhishPoint. The technique has already been used in attacks by scammers and crooks to bypass Advanced Threat Protection (ATP) which has been implemented in may of the most popular email services.
“Over the past two weeks, we discovered (and blocked) a new phishing attack that affected about 10% of Avanan’s Office 365 customers. We expect this percentage applies to Office 365 globally. PhishPoint marks an evolving in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-users’ credentials for Office 365.”
How did Hackers send Malicious Links?
The hackers used SharePoint files to host the malicious phishing links into the SharePoint folder rather than putting the malicious link in the Email. This ensured they could bypass the Office 365 built-in security. In the PhishPoint attack, the victim usually receives an email containing a link to a SharePoint document which is similar to standard Sharepoint invitation to collaborate.
When the user clicks the hyperlink that was included in the fake invitation the browser automatically opens a SharePoint file which impersonates the script or access request made by the OneDrive file which is actually a malicious spoofed Office 365 Login Screen.
The security researchers highlighted that Microsoft’s protection mechanisms scan the body of the Email for malicious links but doesn’t scan for malicious links in the SharePoint document. There is also a bigger problem in this scenario as the company can’t blacklist the links of its own product which are SharePoint documents.
“Even if Microsoft were to scan links within files, they would face another challenge: they could not blacklist the URL without blacklisting links to all SharePoint files. If they blacklisted the full URL of the Share point file, the hackers could easily create a new URL.”
Experts recommend that users be cautious when clicking links and think twice before entering their login credentials.