Security experts from the cloud security firm Avanan have discovered a new technique dubbed PhishPoint, that was used by hackers to bypass Microsoft Office 365 protections.

PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks.

The experts are warning of the new technique that was already used in attacks by scammers and crooks to bypass the Advanced Threat Protection (ATP) mechanism implemented by most popular email services, Microsoft Office 365.

“Over the past two weeks, we detected (and blocked) a new phishing attack that affected about 10% of Avanan’s Office 365 customers. We estimate this percentage applies to Office 365 globally. PhishPoint marks an evolution in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-users’ credentials for Office 365.” reads the analysis published by Avanan.

“Essentially, hackers are using SharePoint files to host phishing links. By inserting the malicious link into a SharePoint file rather than the email itself, hackers bypass Office 365 built-in security. “

In a PhishPoint attack scenario, the victim receives an email containing a link to a SharePoint document. The content of the message is identical to a standard SharePoint invitation to collaborate.

Once the user clicked the hyperlink included in the fake invitation, the browser automatically opens a SharePoint file.

The SharePoint file content impersonates a standard access request to a OneDrive file, with an “Access Document” hyperlink that is actually a malicious URL that redirects the victim to a spoofed Office 365 login screen.

This landing page asks the victim to provide his login credentials.

Experts highlighted that Microsoft protection mechanisms scan the body of an email, including the links provided in it, but since the URL points to an actual SharePoint document, the protections fail in identifying the threat.

“To protect against potential threats, Office 365 scans links in email bodies to look for blacklisted or suspicious domains. Since the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat.” the researchers said.“The crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks,” The problem is that Microsoft cannot blacklist links associated with SharePoint documents.

“Even if Microsoft were to scan links within files, they would face another challenge: they could not blacklist the URL without blacklisting links to all SharePoint files. If they blacklisted the full URL of the Sharepoint file, the hackers could easily create a new URL.”

Experts recommend being suspicious of the URLs in the email body if it uses URGENT or ACTION REQUIRED in the subject line.

Every time a login page is displayed it is necessary to double check the address bar in the web browser to discover if the link points to a legitimate resource, and of course, always use two-factor authentication (2FA).

If you are interested in other attack techniques discovered in the last months by Avanan give a look at the post titled “Five Techniques to Bypass Office 365 Protections Used in Real Phishing Campaigns”

Pierluigi Paganini

( Securi ty Affairs – Phishing, PhishPoint )

Share this...

Linkedin Reddit Pinterest

Share On