PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks. Attackers target Advanced Threat Protection (ATP) which has been implemented in may of the most popular email services. PhishPoint marks an evolution in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-users’ credentials for Office 365. This malicious link spred via emails containing a SharePoint document with invitation to collaborate. When clicked, the file contains a malicious URL that snatches end users’ credentials. “PhishPoint marks an evolution in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-users’ credentials for Office 365,” said Avanan researchers in a post about this phishing attack.
The SharePoint file content impersonates a standard access request to a OneDrive file, with an “Access Document” hyperlink that is actually a malicious URL that redirects the victim to a spoofed Office 365 login screen. This landing page asks the victim to provide his login credentials. Experts highlighted that Microsoft protection mechanisms scan the body of an email, including the links provided in it, but since the URL points to an actual SharePoint document, the protections fail in identifying the threat.
“To protect against potential threats, Office 365 scans links in email bodies to look for blacklisted or suspicious domains. Since the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat. The crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks.”
– Avanan Security –
How To Stay Safe
- Have a unique Email address.
- Double check the url in address bar.
- Use 2 factor authentication.
- Do not open any attachments without proper validation.
- Don’t open emails voluntary emails.
- Use Spam filters & Antispam gateways.
- Never respond to any spam emails.
Stay with us for newest security updates.