Office 365 Phishing Campaign Hides Malicious URLs in SharePoint Files

microsoft outlook breach

Researchers say the “PhishPoint” tactic has already impacted 10 percent of Office 365 users globally.


Researchers have detected a new phishing campaign that mainly targets Office 365 customers to harvest their credentials.

The campaign, dubbed “PhishPoint,” is spread to victims via emails containing a SharePoint document and invitation to collaborate. However, when clicked, the file contains a malicious URL that snatches end users’ credentials.

“PhishPoint marks an evolution in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-users’ credentials for Office 365,” said Avanan researchers in a post about the phishing campaign, Tuesday.

Click to expand

So far, the campaign has impacted 10 percent of Avanan’s Office 365 customers – and researchers estimate that this percentage “applies to Office 365 globally.”

Michael Landewe, founder of Avanan, told Threatpost that he first saw a sharp spike in the phishing campaign about three weeks ago: “It has either started using a larger list of pre-compromised accounts, or it has hit a critical mass of compromised accounts,” he said. “Or, there is a new group using the method and not as careful as the first group.”

Avanan researchers, who first discovered the campaign, said that the victim first receives an email containing a link to a SharePoint document. Victims’ emails were most likely harvested via a previous attack or were purchased from other bad actors, Landewe said. The message purports to be a standard SharePoint invitation to collaborate.

After clicking the hyperlink in the email, the victim’s browser will automatically open a SharePoint file, the content of which impersonates a standard access request to a OneDrive file. The OneDrive file contains an “Access Document” hyperlink which, in reality, is a malicious URL.

The link within the SharePoint file directs the user to a spoofed Office 365 login screen. When the user attempts to login, their credentials are harvested by the hacker.

“This attack specifically targets Office 365 credentials,” Landewe told us. “Once the user entered their credentials, they were redirected to a legitimate Office site where they would be none the wiser. If the new credentials were used, the attackers would upload a file into that person’s SharePoint account and send an invite from SharePoint (rather than from the user’s account).”

Click to expand

Office 365 does scan links in email bodies to look for blacklisted or suspicious domains – however, because the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat.

“The crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint,” researchers said in their post.

In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs, researchers added: “This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks.”

Even if Microsoft did scan links within files, there’s an additional challenge: The URL couldn’t be blacklisted without blacklisting links to all SharePoint files. “If they blacklisted the full URL of the Sharepoint file, the hackers could easily create a new URL by uploading a new file with similar content to SharePoint,” researchers explained.

A Microsoft spokesperson told Threatpost that: “Contrary to Avanan’s marketing claims, there are multiple layered defenses in Office 365 that detect this type of attack. We encourage users to check the authenticity of the links prior to clicking them, avoid opening links in emails from senders they don’t recognize, or visiting unsecure sites.”​

Researchers believe that specific companies are being targeted. “We have seen it in [Fortune] 500 companies in the U.S., as well as small, under-100-person companies in Europe,” said Landewe.

Phishing attacks continue to increase and adopt new tactics – and spam is increasing accordingly. A recent report this week by Kaspersky Lab found that spam email, in particular, remains a top phishing tactic. In the second quarter of 2018, the amount of spam peaked in May up to 51 percent; while the average share of spam in email traffic worldwide was 50 percent.

To protect themselves, researchers said there are basic good practices that companies can take, including being aware of any email subject line that capitalizes buzzwords for workplace stress (like “Urgent” or “Action Required”), and staying suspicious of any URLs that show up in the body of emails.

This article was updated on August 16 at 8 a.m. with a comment from Microsoft.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.