A new phishing campaign is making the rounds. Scammers are taking advantage of a small, but serious oversight in Microsoft’s Office 365 suite of online services to serve phishing emails that are visually indistinguishable from work-related emails and appear completely safe. This new threat once again highlights the importance of training your first line of defense to deal with cyber threats, as part of your organization’s cybersecurity strategy.
Researchers this week have come across an all-new phishing attack that has impacted an estimated 10% of Office 365 users worldwide. PhishPoint, as the campaign is dubbed, has a trick up its sleeve that most other phishing scams don’t: it goes beyond email and uses SharePoint to harvest end-users' credentials.
How PhishPoint works:
- Victim receives email containing a link to a SharePoint document
- Email body is identical to a standard SharePoint invitation to collaborate
- Victim clicks the hyperlink in the email thinking it is a legitimate work document
- Victim's browser automatically opens a SharePoint file
- SharePoint file impersonates a standard access request to a OneDrive file
- Victim clicks on "Access Document" hyperlink that leads to a spoofed Office 365 login screen
- Victim attempts to login, at which point their credentials are harvested by the PhishPoint authors
Exploited properly, the scam can easily lead to a catastrophic data breach. While Microsoft’s link-scanning security layer does sniff out malicious links in the body of an email, it does not scan the links inside a linked SharePoint document. Even if it did, it still couldn’t blacklist a malicious URL inside the document without blacklisting links to all SharePoint files. Researchers feel this is a dangerous oversight.
The corporate gold mine
Stolen corporate domain usernames and credentials are in high demand on the dark web and underground specialized forums. As more and more organizations are moving to cloud-based solutions, phishers themselves are adjusting their techniques to steal credentials via existing attack tools, such as phishing kits.
Since September 2017, Bitdefender has recorded an increase – albeit a small one – in phishing messages that target Office 365 users and uncovered several phishing kits being actively used to compromise credentials.
These phishing kits are usually stored on legitimate-but-compromised websites and are linked to in generic communication. Fake invitations to files hosted on SharePoint Online, outstanding payments for Office 365 subscriptions, or notices of upcoming account termination are the most common lures used to persuade victims into giving away their credentials. And since the messages aren’t branded with visual identities of specific companies, these campaigns likely target a wide pool of organizations, not just a few select companies.
Some of the phishing kits even have their own defense mechanisms that enable them to fly under the radar and avoid blacklisting. Others prevent the forms from being sent if they detect junk text (text that doesn’t look like a password) being filled in. This method is probably used to protect the scammers’ database from being overly populated with invalid credentials that would decrease its resell value on the black market.
What can hackers do with stolen credentials?
There’s a good reason why stolen corporate usernames and passwords are so valuable on the dark web. Actually, make that five reasons:
- Carry elaborated phishing attacks against the company’s top management
- Carry advanced money transfer schemes to convince financial departments to wire large sums of money (i.e. CEO impersonation)
- Lurk on the company’s e-mail server for any confidential information that can be monetized later
- Log into the company’s network via Remote Desktop Protocol instances and infect the company with ransomware or other advanced threats
- Segment stolen credentials by the specific of the company and then resell these credentials to cybercrime groups targeting a specific vertical
Share the responsibility so you don’t share the blame
Solutions like Bitdefender GravityZone offer a mix of antimalware, malicious URL, and anti-phishing protections that can prove useful in the face of such a devious campaign. However, since PhishPoint ultimately requires a lot of user input, end-users have an important responsibility to keep their work credentials safe. After all, the malicious URL leading to the spoofed Office 365 portal could hide anything else for that matter – a malware-laced download, for instance.
This once again raises the importance of conducting regular staff training with regards to existing cyber threats – phishing chief among them, considering it is still the most “popular” attack vector for ransomware operators, and not only.
So, what should office workers know in order to think twice before entering their user name and password?
- Always check the URLs you are about to click on. In the case of hyperlinks, hovering with your mouse cursor over the linked content will reveal its actual source. Make sure it is hosted by the actual service asking you to log into.
- Be wary of any unsolicited or uncharacteristic requests to input your credentials, especially urgent-sounding emails asking you to “act now!” Scammers usually play into the psyche of the victim using scareware tactics to prompt them to input their credentials to avoid an unpleasant event, such as account deletion.
- Use Two Factor Authentication (2FA) for every service that offers it, including for your personal accounts. Attackers won’t shy away from using your personal Twitter or Facebook password in a brute-force attack against a corporate portal that you access daily at work. Many people use the same password everywhere, and cybercrooks know it.
- Call your IT platoon’s support number to validate infrastructure changes or any urgent requests that impersonates them and only act on those that have been confirmed. Bear in mind that your IT squad does not need your account password for maintenance or "validation", as they have specific means to carry out these actions.
- Last, but not least, don’t skip your corporate IT security bootcamp. It’s important to stay up to speed with the latest cyber incidents and potential cyber threats. PhishPoint is a good example of how even someone trained to spot a typical phishing attack may still fall victim, thinking they are entering their credentials in a legitimate work portal.
Both employers and their employees shoulder the responsibility of keeping the organization out of hackers’ reach. With cybercrime still on the rise as we move into the second half of 2018, these simple tips are more important than ever. Stay safe!