SharePoint Files Utilized to Collect Office 365 Identifications

August 21, 2018


A phishing campaign called PhishPoint uses SharePoint files to steal users’ Office 365 identifications.

Huge numbers of phishing electronic mails are being transmitted to companies that seem to be requests to cooperate. Users are required to click the URL inserted in the electronic mail, which eventually directs them to a malevolent site where they are required to enter their Office 365 identifications. Those identifications are then captured by the attackers.

The phishing campaign was noticed by cybersecurity firm Avanan. Avanan reports that roughly 10% of its Office 365 clients have received the electronic mails, and the cloud safety platform provider thinks that the same proportion applies to all international users of Office 365.

The phishing electronic mails are like those used in Dropbox and Google Docs phishing scams. In this instance, the electronic mails seem to contain a OneDrive for Business file and the electronic mail messages are brief and to the point. They just have a link with the text Open Document, and a sentence asking receivers to contact if they have any queries. The messages are signed with complete contact details.

Click the link and a SharePoint file will be automatically opened. This creates a standard OneDrive for Business access request that contains a link to click to access the document. Clicking that link will take the user to a phishing webpage which seems to be a standard Office 365 login page. The page is spoofed and entering Office 365 identifications will pass them to the attacker. Meanwhile, the user is then directed to an actual website, they are unlikely to realize that they have been phished and their identifications have been undermined.

This technique of attack circumvents Microsoft’s phishing controls as the link to the phishing website comes later in the attack. Microsoft only sees a link to an actual SharePoint document and fails to identify it as doubtful.

Although the standard instruction of never clicking links in electronic mails from strange senders might safeguard users against these attacks, it’s often not that simple. Companies often receive electronic mails from strange persons containing valid requests like purchase orders.

Care must certainly be taken when opening any electronic mail. Prior to any requested action is taken the electronic mail must be evaluated for irregularities. In this attack, the point where it becomes clear that this is a phishing attack is when the user is asked to enter their Office 365 identifications. A check of the domain name at this point will disclose all is not as it appears. It’s not hosted on the service that it claims to be part of. If the domain is not verified, the end user will fail to realize that this is a phishing attack and their Office 365 identifications will likely be unveiled.