A very convincing and sophisticated phishing attempt was observed last week, and it was not successful only because of end-user hyper-vigilance. This attempt involved the legitimate use of Microsoft (SharePoint) services, devised purely to lower your guard.
The sequence of events was as follows:
An email was received from a known contact, asking the recipient if a previous email was received. In this email, there were no links or attachments, and the contact’s signature was included. The recipient responded “no” upon which a reply was received with a link to a SharePoint Document. Upon clicking on the link, a document was presented to be downloaded. Once it was opened, the following page was displayed:
At first glance, it appears to be the standard Microsoft login page that is normally presented when attempting to open a shared document. However, a closer look at the URL shows storage.googleapis.com and the favicon shows a Google logo which are clues that this was not a legitimate Microsoft site. Below is the authentic Microsoft login page:
There are two things that indicate the validity of this page:
- The favicon is the Microsoft logo and
- The URL contains login.microsoftonline.com
Attacks such as these are the most successful of their kind since they use social engineering: the email was received from a trusted sender, there were no links or suspicious attachments, the link that was sent directed the recipient to SharePoint, and the document opened to a page similar to the Microsoft login page.
User vigilance is the strongest defence against any type of phishing attempt. Due to the craftiness of the attack, it was not flagged initially by any type of technological tools: Microsoft ATP, anti-virus or website malicious link blocking. Eventually, Microsoft ATP blocked the SharePoint link.
Users should never depend only on technology to keep them safe. Always verify before entering credentials on any site that was opened from a link, especially if it is received via email. The battle over data is getting fiercer and end-users are the final line of defence.
If you are using Office 365 and you are not using Advanced Threat Protection (ATP) and Multi-factor Authentication (MFA) ask us today how we can help.
Do not click on links in unsolicited emails or download unsolicited attachments.