SharePoint Phishing Attack (PhishPoint)
There is a phishing attack in Office 365, the SharePoint Phishing Attack or PhishPoint.
Attackers are now using Microsoft SharePoint to run phishing attacks and to target Office 365 end-user credentials and even injecting some malicious code into their machine.
What makes this attack so interesting? Even Exchange Online Protection and Office ATP scan emails for suspicious contents with links and attachments, a link to their own SharePoint Online wouldn’t be considered malicious.
Since Exchange Online Protection and Office ATP isn’t scanning files hosted on SharePoint, they left attackers with an easy way to steal credentials, identity, and run malicious code.
About Phishing Attack
Like other phishing attacks, it’s all about convincing the users that the email is valid and needs to be read and addressed.
As humans, we look at the email and derive its context to determine whether we believe it’s necessary to open, read, and click through.
Several factors come into play when determining context:
- Sender – Either the individual or the company may be known to the recipient.
- Subject – This all comes down to the relevance to the recipient.
- Email address – Users today should know by now they need to look at the sender details. If it looks legitimate, it’s generally a good sign user will continue reading.
- Email Details – If the email’s timing, relevance to the recipient, dropped names, etc., all seem legitimate. The recipient won’t think twice about its credibility.
- Emotional Buy – Scammers know if they can get your users excited, angry, worried, or delighted, they have a better chance of getting a click.
The PhishPoint campaign is spread to victims via emails containing a SharePoint or OneDrive for Business document an invitation to collaborate.
However, when clicked, the file contains a malicious URL that steals the end user’s credentials.
The following points describe how this attack works:
- End-user receives an email containing a link to a SharePoint document.
- The email body is identical to a standard SharePoint invitation to collaborate.
- End-user clicks the hyperlink in the email, thinking it is a legitimate work document.
- The end-user browser automatically opens a SharePoint file.
- SharePoint file impersonates a standard access request to an OneDrive file.
- End-user clicks on Access Document hyperlink that leads to a spoofed Office 365 login screen
- End-user attempts to log in, at which point the PhishPoint authors harvest their credentials.
Note: when investigating this phishing attack with a message header, you can notice that all relevant information looks the same as any other email.
The values of Phishing Confidence Level, SPF, X-MS-Exchange-Organization, and multiple others not identified as suspicious content.
How to Protect
To protect from SharePoint Phishing Attack (PhishPoint), follow these actions:
- Configure Exchange Transport Rule to block SharePoint URL from an external domain
- Configure Exchange Transport Rule to block SharePoint URL from a spoofed domain
- Configure and apply MFA for end-users
- Educate end-users (from my point of view, it’s useless because you can do social engineering to any user)