The attack dubbed “PhishPoint” is a recent cyber-attack scheme being used by foreign hackers. It demonstrates the craftiness and the extent that cybercriminals will go to in order to harvest your Microsoft Office 365 credentials. It uses several familiar aspects of Office 365 to lull potential victims into an assumption that everything is above board. But it’s not. Here’s what you need to know about PhishPoint and how to protect your organization.
How Did The PhishPoint Attack Get Into Office 365?
The PhishPoint hackers use Microsoft SharePoint files to host their phishing links. Typically hackers use emails to host malicious links. Now, these crafty hackers have figured out how to bypass Office 365’s built-in security to leverage their attacks. This shows that there’s a critical flaw in Office 365 in this respect.
How Does The PhishPoint Attack Work?
You can recognize a PhishPoint malicious email by its use of “URGENT” or “ACTION REQUIRED” to urge you to respond. But beware, this email contains a link to a SharePoint Online-based document that you don’t want to click.
Here’s how it works:
The link will direct you to SharePoint. It will look legitimate and could trick you or your users unless you know what to watch for it.
At this point, you’ll be shown a OneDrive prompt –The SharePoint file will impersonate a request to access a OneDrive file with an “Access Document” hyperlink. This is actually a malicious URL, as shown below.
Then you’ll see a Microsoft Office 365 logon screen – Don’t enter your information even though it’s very authentic-looking login page. if you do, the hackers can access your user credentials!
What Else Should We Watch For?
Several things stand out here, and you should watch for them:
1. The email is unsolicited and has a generic subject of “<person> has sent you a OneDrive for Business file.”
2. Opening the document requires you to take a number of steps.
3. The URL for the logon page isn’t on the office365.com domain.
Why Didn’t Microsoft Stop This Scam?
Unfortunately, Microsoft didn’t see this coming. They continually scan emails for suspicious links and attachments, but even they were fooled. They didn’t think that a link to their own SharePoint Online would be malicious.
Another problem is that Microsoft link-scanning only goes one level down. It scans links in the email body but doesn’t scan files that are hosted on their services like SharePoint. If they did, they would have to scan for malicious links within shared documents.
And there’s another problem…they couldn’t blacklist the malicious URL unless they did this for the full URL for the SharePoint file. In this case, the hackers could just make a new URL in an uploaded file that contained content similar to SharePoint.
Since Microsoft isn’t scanning files hosted on SharePoint, hackers can easily use the platform to con their users and steal their credentials.
This scam exemplifies the risk associated with cloud-based applications. Using context and services that users are familiar with, cybercriminals can take advantage of a lowered level of alertness, and gain access to corporate resources online – all without the user or organization ever knowing it.
What Is Microsoft Doing To Prevent Scams Like PhishPoint?
Microsoft has been working behind the scenes to stop foreign attackers. Court documents that were unsealed on March 27, 2019 show that they’ve been waging a secret battle against a group of Iranian government-sponsored hackers.
Microsoft said it received substantial support from the domain registrars, which transferred the domains over to Microsoft as soon as the company obtained a court order.
What Can We Do To Prevent Being Affected By PhishPoint?
It’s important that you share this message with all of your users:
Be on alert! The bad guys have a new way of stealing your login credentials. They target you by sending an invite via email to open a SharePoint document.
The link takes you to an actual SharePoint page where you will see a OneDrive prompt. The prompt will have an “Access Document” link in it- don’t click this link!
This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don’t be tricked!
Whenever you’re submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you. Remember, Think Before You Click.
Here are some other things that you and your users should do:
Thanks for helping us upgrade our Macs and get them working exactly as our business needs! Fast, convenient and very knowledgeable! You’re the best!
Alary Technologies has been our IT support team for the past year at the START Clinic for Mood and Anxiety Disorders. They have done a excellent job in upgrading our system, organization, and supporting us in technical computer matters. Compared to other IT companies we have worked with, Alary Technologies comes on top. Ahmed Kufaishi the Managing Director at Alary Technologies is solution focused, knowledgeable and makes an effort to really understand his clients’ needs. It has been a pleasure to work with Ahmed and Alary Technologies. I would recommend their services to other companies and clinics.
“We continue to work with Alary Technologies due to the fact that they are quite educated and knowledge based with current upgrades, and their commitment to their customers.”
Ahmed has been providing our company with expert IT services for close to 3 years. He has guided us through hardware upgrades, server back up procedures and was instrumental in brokering a custom software program that fully automated some key functions in our business. Ahmed has always been thoroughly professional in all his dealings with us and has provided consistent and sound advise for all of our IT requirements. We consider Ahmed and Alary Technologies to be an important partner for our business.
It is refreshing to work with someone who can organize things and describe in plain language. I have a large and growing knowledge base for my work as an architect. I have realized that I can’t do everything, that I do need a team member who can look after this one relatively small by crucial part of my practice.