Attacks Against Office 365 Continue

Since Office 365 is the dominant office productivity suite, knocking Google on it’s butt, it is not a surprise that hackers are going after it hard.  To compare, I didn’t find great numbers and Google probably does not want me to do this comparison, but Office has 120 million paid users as of 2017 and Google has about 3 million paid users.  It is obvious why hackers go after Office.  To be fair, Google has a boatload of free users, but since those are predominantly consumers and really small businesses, the amount and quality of data to steal makes those free users a much less compelling target.

About a month ago, scammers were using emails with text in zero point type to bypass Microsoft’s security tools.  Apparently, Microsoft must of thought, if you can’t see it (after all zero is small), it can’t be a problem.  Not so.

Then hackers figured out a way to split URLs into pieces to fool Microsoft.

Now that Microsoft has closed those loopholes (the sheer beauty of cloud software – make a fix and in a few seconds, 120 million users are protected), the hackers have moved on.

So what are the hackers doing now?

In this attack, the victim receives an email with a link to collaborate on a Sharepoint document.  Of course, this email is a scam.  When the user clicks on the link in the invitation, the browser opens a Sharepoint file.

Inside the Sharepoint file is a button to open a linked One Drive file.  That link is malicious and at that point the game is over.  The hacker has the user’s Office credentials, since that is required to open the One Drive file and has installed malware on the victim’s computer.

Unfortunately, for a number of reasons, there is no easy way to block this attack.

So what should you do?

First, if you have two factor authentication turned on (everyone should!), then stealing your password is a much less effective attack.

Next, be suspicious.  Check the address link, ask why you are getting this collaboration request.  Check OUT OF BAND if the person who you think sent the request actually did send it (like talk to the person on the telephone using that antique VOICE feature).

Third, hover over links first and look at the underlying address.  If you can’t see the address or it doesn’t look right, stop and talk to your security team.

User training is key here and there are some very cost effective solutions out there.

And, of course, if you have questions, contact us.

Information for this post came form The Hacker News.

Leave a Reply

Your email address will not be published.