Security Update: What’s PhishPoint?

Phishpoint

The attack dubbed “PhishPoint” is a recent cyber-attack scheme being used by foreign hackers. It demonstrates the craftiness and the extent that cybercriminals will go to in order to harvest your Microsoft Office 365 credentials. It uses several familiar aspects of Office 365 to lull potential victims into an assumption that everything is above board. But it’s not. Here’s what you need to know about PhishPoint and how to protect your organization.

How Did The PhishPoint Attack Get Into Office 365?

The PhishPoint hackers use Microsoft SharePoint files to host their phishing links. Typically hackers use emails to host malicious links. Now, these crafty hackers have figured out how to bypass Office 365’s built-in security to leverage their attacks. This shows that there’s a critical flaw in Office 365 in this respect.

How Does The PhishPoint Attack Work?

You can recognize a PhishPoint malicious email by its use of “URGENT” or “ACTION REQUIRED” to urge you to respond. But beware, this email contains a link to a SharePoint Online-based document that you don’t want to click.

Here’s how it works:

The link will direct you to SharePoint. It will look legitimate and could trick you or your users unless you know what to watch for it.

At this point, you’ll be shown a OneDrive prompt –The SharePoint file will impersonate a request to access a OneDrive file with an “Access Document” hyperlink. This is actually a malicious URL, as shown below.

Then you’ll see a Microsoft Office 365 logon screen – Don’t enter your information even though it’s very authentic-looking login page. if you do, the hackers can access your user credentials!

What Else Should We Watch For?

Several things stand out here, and you should watch for them:

1. The email is unsolicited and has a generic subject of “<person> has sent you a OneDrive for Business file.”

2. Opening the document requires you to take a number of steps.

3. The URL for the logon page isn’t on the office365.com domain.

Why Didn’t Microsoft Stop This Scam?

Unfortunately, Microsoft didn’t see this coming. They continually scan emails for suspicious links and attachments, but even they were fooled. They didn’t think that a link to their own SharePoint Online would be malicious.

Another problem is that Microsoft link-scanning only goes one level down. It scans links in the email body but doesn’t scan files that are hosted on their services like SharePoint. If they did, they would have to scan for malicious links within shared documents.

And there’s another problem…they couldn’t blacklist the malicious URL unless they did this for the full URL for the SharePoint file. In this case, the hackers could just make a new URL in an uploaded file that contained content similar to SharePoint.

Since Microsoft isn’t scanning files hosted on SharePoint, hackers can easily use the platform to con their users and steal their credentials.

This scam exemplifies the risk associated with cloud-based applications. Using context and services that users are familiar with, cybercriminals can take advantage of a lowered level of alertness, and gain access to corporate resources online – all without the user or organization ever knowing it.

What Is Microsoft Doing To Prevent Scams Like PhishPoint?

Microsoft has been working behind the scenes to stop foreign attackers. Court documents that were unsealed on March 27, 2019 show that they’ve been waging a secret battle against a group of Iranian government-sponsored hackers.

Microsoft said it received substantial support from the domain registrars, which transferred the domains over to Microsoft as soon as the company obtained a court order.

What Can We Do To Prevent Being Affected By PhishPoint?

It’s important that you share this message with all of your users:

Be on alert! The bad guys have a new way of stealing your login credentials. They target you by sending an invite via email to open a SharePoint document.

The link takes you to an actual SharePoint page where you will see a OneDrive prompt. The prompt will have an “Access Document” link in it- don’t click this link!  

This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don’t be tricked!  

Whenever you’re submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you. Remember, Think Before You Click.

Here are some other things that you and your users should do:

  • Be wary of any email subject line that contains an imminent threat like “URGENT” or “ACTION REQUIRED.”
  • Always suspect URLs in the body of an email. It’s best not to click them. Most legitimate businesses no longer send links in emails.
  • Carefully review any logon page. Check to make sure that the URL is actually hosted by the service that you want to use.
  • If an odd-looking email shows up in your inbox from someone in your organization and you question its authenticity, contact the person by phone to see if they sent the email.
  • Use Multi-Factor Authentication for all of your software platforms and online accounts.
  • You should also sign up your users for Security Awareness Training. When you do, they’ll have a better chance of spotting the telltale signs of a cyber threat.

Connect With Your New York City IT Team