There’s a new phishing attack that cyber criminals are using to target Microsoft Office 365 users. We know of several businesses locally that have been affected by this type of attack.

Attackers are now bypassing anti-malware email security scans by embedding malicious links within shared files on SharePoint and other trusted sites like Box, G Suite and Dropbox.

The hacker sends a genuine-looking email that points to a file hosted on a legitimate sharing service, most commonly Microsoft’s OneDrive. When the user clicks on the link, the browser automatically opens a SharePoint file.

The content of the SharePoint file impersonates a standard access request to a OneDrive file, so everything looks normal. However, the ‘Access Document’ button on the file has a hyperlink to a malicious URL.

When the user clicks on the malicious link, it redirects to a spoofed Office 365 login screen, which asks them to enter their login credentials, which are then harvested by hackers.

How the phishing attack works

Most anti-malware email security scans look for malicious links. Since a trusted file share provider is safe, the URL receives no further scrutiny and makes it into the end user’s inbox. However, while the link itself is safe, it leads the user towards a harmful action.

These attacks can fool even savvy users because the link points to a legitimate service which lowers their guard.

What happens next

1. Once the criminal has gained access they will:Spend time reviewing what data is stored in the user’s folders to seek personal information, credit card details, passwords etc.
2. Download emails and attachments.
3. Send the same phishing email to the user’s contacts from the user’s email address.
4. Set up rules to delete any emails sent by the criminal and to move any replies from the phishing emails to a folder that the user doesn’t know exists. By doing this, the user won’t know that anything is wrong unless they receive a phone call or new email from the recipient of the phishing email asking if the email was genuine.

If any of your email accounts are compromised in this way not only will it cause damage and disruption to your business but it’s highly likely that you will have to report the breach to the ICO.

What you can do

We recommend you implement the following:

1. Disable Outlook Web Access.
2. Implement multi-factor authentication.
3. Engage your staff in cyber security training.
4. Don’t trust emails with document sharing – check with the sender by calling a phone number that is known. Never email back!
5. Use a password manager. Password managers will only enter your password into the legitimate login page. They can’t be fooled into sharing your password on a fake phishing site, and you will not be able to enter it. The safest password is the one you don’t remember.

If you have any questions or need help with any of the above (including training), please contact us on 01392 207194.