Posey's Tips & Tricks

One Way Office 365 Phishing Attacks Are Getting Sneakier

A relatively new type of phishing attack is targeting Office 365 users while completely circumventing all of the usual security defenses.

• By Brien Posey
• 09/12/2018

Phishing attacks have probably been around for as long as e-mail itself. We all know the drill: An attacker sends an e-mail message containing a malicious link, an unsuspecting user clicks on that link, and bam! The user gets infected with who knows what type of devious malware.

Lately, though, phishing attacks have become almost laughable. You know the messages that I am talking about -- the ones that are filled with spelling and grammatical errors, and that often paint a completely implausible picture.

For example, I received a message this morning that was supposedly from a well-known international bank claiming that I had won its lottery. Never mind the fact that banks aren't in the business of giving away free money through lotteries, or that I never signed up for a lottery. (I don't even have an account with the bank.) And, of course, the message was chock-full of spelling errors.

For a long time, I simply dismissed these types of messages as annoying but relatively harmless. After all, most people aren't going to fall for such an obvious fraud. Recently, however, something else has begun to occur to me: What if we aren't meant to fall for those really obvious phishing messages? What if those messages are actually just a distraction that is designed to make us underestimate the threat that phishing attacks actually pose?

I know what you are thinking. You are probably saying to yourself, "Come on, Posey. Phishing messages come from a variety of senders. Some are obvious frauds, while others are more convincing." Right. I get it. Besides, a good malware-filtering engine should be able to catch the malicious links within the message before the phishing message even makes it into the end user's inbox, right?

That's what I used to think, too. Recently, however, I keep hearing about a relatively new type of phishing attack that targets Office 365 users and completely circumvents all of the normal defenses. In fact, this type of attack -- dubbed "PhishPoint" by the researchers at Avanan who first discovered it last month -- often goes completely undetected.

The reason why this type of phishing attack succeeds where others fail has to do with the way that malware-prevention software works. Anti-malware software typically compares links within e-mail messages against a list of links that are known to be malicious. Such software might also check for the presence of camouflaged links and look for a few other telltale signs that all is not what it should be. If the message passes those tests, then it is deemed to be safe and sent to the user's inbox.

But what if a message contains a link that is safe, but that leads the user toward a harmful action? Such a message would typically be treated as safe because the anti-malware software would not be able to prove that the link points to anything nefarious.

So with that in mind, here is how the new phishing attack works. The attacker sets up a free trial of Office 365. Microsoft makes it painless to start an Office 365 trial; I have done it several times when I needed a "throwaway" subscription for something that I was writing about. The last time I set up a trial subscription, the only thing that I needed to get started was an e-mail address. And we all know how good phishing artists are at setting up e-mail addresses.

Once the trial account is up and running, the scammer sets up a series of documents within SharePoint. They then send an invitation to users in other organizations offering to allow them to edit the file. This is a legitimate SharePoint request, so it makes it through the malware-scanning engine.

The file that gets shared with the unsuspecting user is made to look like a OneDrive file. When the user attempts to open the file, they are presented with a fake OneDrive log-in screen. This allows the attacker to steal the victim's credentials.

The scary thing about this attack is that it completely circumvents many of the conventional defenses. Your anti-malware software probably isn't going to be able to detect the attack because the link is legitimate and there are no attempts to implant malware. The attacker is stealing credentials, not infecting machines.

For now, the best defense seems to be user education. Tell your users that they should ignore any SharePoint file-sharing requests that they are not expecting. Furthermore, if the invitation contains any of the buzzwords that are commonly used in phishing attacks, that should be an additional clue to users that the invitation might not be legit. Some of these buzzwords might include "final notice," "urgent," "action required" or "your account will be deleted."