The attack dubbed “PhishPoint” by Cloud Security vendor Avanan demonstrates the craftiness and extent cybercriminals will go to in order to harvest Office 365 credentials.
I’ve talked about how context can be a major influencer in the success of any social engineering attack. This latest attack uses several familiar aspects of O365 to lull potential victims into an assumption everything is above board.
Here’s how the PhishPoint attack works:
The user receives the malicious email – They confirm there is often the use of URGENT or ACTION REQUIRED to instill a sense of immediacy to respond. The email contains a link to a SharePoint Online-based document.
The link directs to SharePoint – Attackers are using true-to-form SharePoint Online-based URLS, which adds credibility and legitimacy to the email and link, since the user is being directed to a known-good hosting site.
Users are shown a OneDrive prompt – The SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an "Access Document" hyperlink that is actually a malicious URL.
Users are presented with an Office 365 logon screen – Here is where the scam takes place. Using a very authentic-looking logon page where the cybercriminals harvest the user’s credentials.
What makes this attack so evil is that even Microsoft didn’t see this one coming. While they scan emails for suspicious links and attachments, a link to their own SharePoint Online wouldn’t be considered malicious.
And, since Microsoft isn’t scanning files hosted on SharePoint, they left attackers with an easy means to utilize the very platform on which they are trying to con users of their credentials.
Users stepped through new-school security awareness training have a better chance of spotting the telltale signs of online malice. In this specific scam, several factors stood out:
The email was unsolicited and had a generic subject of “ has sent you a OneDrive for Business file”
Opening the document required several user-initiated steps
The URL for the logon page wasn’t on the office365.com domain
This scam represents the risk associated with cloud-based applications. Using context and services users are familiar with, scammers can take advantage of the lowered level of alertness and gain access to corporate resources online – all without the organization ever knowing.
I suggest you send the following to any of your employees that use O365. You're welcome to copy, paste, and/or edit:
Be on alert! The bad guys have a new way of stealing your login credentials. They target you by sending you an invite via email to open a SharePoint document. The link takes you to an actual SharePoint page where you will see a OneDrive prompt. The prompt will have an “Access Document” link in it- don’t click this link!
This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don't be tricked.
Whenever you're submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you. Remember, Think Before You Click.
So Now the Key Question: "How do I protect myself/my employees from PhishPoint and other Phish Attacks?"
Did you know every employee is a security risk?
Did you know that one click on a malicious email can compromise your entire network?
Did you know that 91% of successful data breaches started with a phishing attack?
Did you know that every employee, from the secretary to the CEO, is a target and risk and they need Security Awareness Training.
What is Security Awareness?
Security Awareness is the process of making people aware of the risks to things of value and how to safeguard against those risks.
Why you need to know?
The ongoing and increasingly pernicious spate of cyber attacks – Ransomware, DDoS, Phishing, Bots, Trojans and targeted corporate espionage and malware, all underscore the need for heightened security and security awareness training. The executive suite is especially a rich target for attack.
What are typical objections to Security Awareness Training? What are our solutions?
It is too expensive. Response: It is insignificant to the cost of incurred due to cyber breaches. Costs of data loss, lost time, lost productivity, ransoms payment and other real infrastructure costs can be significant. Not to mentions the potential of liability costs, insurance deductibles costs (if you even have Cyber coverages), court costs and liability payments. Solutions: We offer a low cost, easily implemented training solution on a per user basis.
It takes too much time. Time is no argument to the potential risk and cost. Solution: Our training is done at the users workstation and typically takes less than an hour.
I know everything already: Sure you do. But does the CEO, does the secretary? What about your other co-workers. It is statistically a fact that over 80% of users will fail our Basic Cyber Security Awareness quiz. Drill down on the other risk you overlook and get training to day to mitigate your human risks.
How to implement Security Awareness?
Promote Security as a cultural and behavioral change.
Focus on long-term patterns and attitudes about Security.
Focus on security-enabling people, not restricting rules.
Make Security something everyone can understand.
Show how security applies to all parts of digital life - at work and at home.
Implement a training program that teaches facts and risks associated with computer use and Human Behavior.
Did you know Expand Learning Solutions is a KnowBe4 partner? We can help get you set up with some simple awareness training that you manage with a few simple mouse clicks. Contact us today for more details and let this affordable training solution inoculate your employees against security threats!