Cyber criminals are persistent if nothing else.  Every time one of their deceptions gets discovered, they launch a new one to bypass Office 365 security.  Here are just a few examples of phishing attacks that were successful in causing cyber breaches in 2018.

SharePoint Phishing Attacks

Named “PhishPoint,” this phishing attack bypasses Office 365 Security by inserting malicious links into SharePoint documents.  This attack looks identical to the standard SharePoint invitation. The difference is that this email hyperlink is a fake. Users get deceived into clicking the link to access the file, but what opens is a spoofed landing page where the victim is required to provide their Office 365 login passwords. Once the hackers have the user’s logins, they can get access to critical systems, and continue the attack.

PDF Attacks

Another credential type of attack can be done the same way, but this time the malicious links are embedded in a PDF file that is attached to a legitimate-looking email.

Chained Phishing attack

Both Sharepoint and PDF attacks can be actually part of a bigger plan to penetrate and disrupt a company. The chained phishing attack, weaponises the previously discussed Sharepoint or PDF attacks to gain a foothold with a user’s login credentials. However, researchers at Fujitsu discovered a pattern to the attack. Once the user has been deceived into giving up their logins, the hackers target that victim’s address book – often filled with a mix of business and personal contacts.

The second stage allows the hackers to leverage the first victim’s existing relationships because of the trust already gained, often using informal easily subject lines such as “FYI” or “Order Review” in order to get the new victim to take an action.

The cycle is repeated again and again, with the newly compromised victims keeping things going. After time, the harvested credentials are then used to compromise anything the victim has access to.

Because of the trusted relationships that have already been established, a user will often click on a message from someone they have an association with. By abusing the existing trust relationships between vendors and acquaintances, the attackers have a wider attack surface of victims that will not be thinking cyber security, and the deception carries on unnoticed.

These campaigns hinge on a few themes. Some warn of low storage space. Others play on the storage theme and asks that a user activate “Quota” to address the problem. In both instances, the user is asked to enter their Office 365 credentials. Some users will see the landing page by opening an HTML attachment and being forwarded; or they’ll click a direct link. Once a victim’s credentials are grabbed by the hackers, they’re passed on to the legitimate Microsoft login page.

The BaseStriker Attack

Office 365 security uses a feature called Safe Links.  As part of the company’s advanced threat protection (ATP) built-in to Office 365, it works by replacing all URL’s in an incoming email with Microsoft owned secure URL’s. The idea is to reduce clicks to malicious links. However, scammers were able to use a <base> tag (thus the name) to define a base URL that is used by all subsequent links regardless of whether they are replaced.  So, when users clicked on the link, instead of directing it to the Microsoft domain, it instead sent people to the malicious link. The good news is that has been only one instance of the BaseStriker campaign detected, but the bad news might be it is being saved and readied for a huge campaign later.

All these attacks have an impact within the Office 365 environment. Not only are email and contact compromised by these phishing attacks, but businesses use their Office 365 security credentials for One Drive, Share Point, Skype, Exchange, and the Office 365 App store.  Not only does it potentially expose proprietary IP and confidential data, but it allows many avenues out of the business which could expose the breach and harm a company’s reputation.