Recent phishing campaigns targeting Microsoft 365 users

Security challenges

Cybercriminals are persistent, if nothing else. Every time one of their deceptions gets discovered, they launch a new one to bypass Microsoft 365 security. Here are just a few examples of phishing attacks that have been causing cyber breaches over the past few years.

SharePoint phishing attacks

Named “PhishPoint,” this phishing attack bypassed Microsoft 365 Security by inserting malicious links into SharePoint documents. The attack looks identical to the standard SharePoint invitation, with the key difference being that the email hyperlink is a fake.

Users get deceived into clicking the link to access the file, but instead open a spoofed landing page where they are required to provide their Microsoft 365 login password. Once the hackers have farmed the user’s login from this fake page, they can get access to critical systems and continue the attack.

PDF attacks

Another credential type of attack can be done in the same way as the above SharePoint example. This time though, the malicious links are embedded in a PDF file that is attached to a legitimate-looking email.

Chained phishing attack

Both SharePoint and PDF attacks can be actually part of a bigger plan to penetrate and disrupt an Microsoft 365 organisation – and researchers at Fujitsu discovered a pattern to the attack. The chained phishing attack weaponises the previously discussed SharePoint or PDF attacks to gain a foothold with a user’s login credentials. Then once the user has been deceived into giving up their logins, the hackers target their address book – often filled with a mix of business and personal contacts.

The second stage allows the hackers to leverage the first victim’s existing relationships because of the trust already gained, often using informal easily subject lines such as “FYI” or “Order Review” in order to get the new victim to take an action. This cycle is repeated again and again, with the newly compromised victims keeping things going. After time, the harvested credentials are then used to compromise anything the victim has access to.

These campaigns hinge on a few themes. Some warn of low storage space. Others play on the storage theme and asks that a user activate “Quota” to address the problem. In both instances, the user is asked to enter their Microsoft 365 credentials. Some users will see the landing page by opening an HTML attachment and being forwarded; or they’ll click a direct link. Once a victim’s credentials are grabbed by the hackers, they’re passed on to the legitimate Microsoft login page.

Because of the trusted relationships that have already been established, a user will often click on a message from someone they have an association with. By abusing the existing trust relationships between vendors and acquaintances, the attackers have a wider attack surface of victims that will not be thinking of cybersecurity, and the deception carries on unnoticed.

The BaseStriker Attack

Microsoft 365 security uses a feature called Safe Links. As part of the company’s advanced threat protection (ATP) built-in to Microsoft 365, it works by replacing all URLs in an incoming email with Microsoft owned secure URLs. The idea is to reduce clicks to malicious links.

However, scammers were able to use a <base> tag (hence the scam’s name) to define a base URL that is used by all subsequent links regardless of whether they are replaced. So, when users clicked on the link, instead of directing it to the Microsoft domain, it instead sent people to the malicious link.

All these attacks have an impact within the Microsoft 365 environment. Not only are email and contact compromised by these phishing attacks, but businesses use their Microsoft 365 security credentials for One Drive, Share Point, Skype, Exchange, and the Microsoft 365 App store. This risks exposing proprietary IP and confidential data, and many avenues for data breaches and damaged reputation.

Protect your Microsoft 365 environment

The most effective way to prevent cyber breaches is to stop email phishing. By deploying intelligent anti-phishing software such as Egress Defend, any Microsoft 365 user within your business will be alerted to even the most sophisticated phishing emails that can easily bypass traditional systems.

Egress Defend users machine learning and natural language processing to assess every inbound email with pure objectiveness. It works unobtrusively in the background to detect even the most sophisticated forms of phishing and alert users in real time.

This not only prevents a user doing the wrong thing which causes an initial breach, but it gives system admins the real time intelligence to know that an active phishing campaign is taking place against them. This extra warning time allows cyber mitigation plans to be enacted and key personnel to be warned.

Learn more about Egress Defend here. Or if you’d like to know more about the dangers of phishing, you can explore our dedicated information hub.