Last month, cloud security vendor Avanan posted a blog entitled “PhishPoint: New SharePoint Phishing Attack Affects an Estimated 10% of Office 365 Users.” The article said that hackers are using SharePoint files to host phishing links, and by doing so, they can bypass Office 365 built-in security.
The blog post has been picked up by several other media, including Inside Security, MSSP Alert, Security Affairs, Latest Hacking News, and Computer Business Review, among others.
On the other hand, a Microsoft employee says it’s fake.
Avanan says the PhishPoint attack works like this:
1. The victim receives an email containing a link to a SharePoint document. The body of the message is identical to a standard SharePoint invitation to collaborate.
2. After clicking the hyperlink in the email, the victim’s browser automatically opens a SharePoint file. (File rights allow access to anyone with the link.) The SharePoint file content impersonates a standard access request to a OneDrive file, with an “Access Document” hyperlink that is actually a malicious URL.
3. The link within the SharePoint file shown above directs the user to a spoofed Office 365 login screen. When the user attempts to login, their credentials are harvested by the hacker.
Avanan says PhishPoint bypasses Office 365 Security like this:
“To protect against potential threats, Office 365 scans links in email bodies to look for blacklisted or suspicious domains. Since the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat.
“The crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks.
“Even if Microsoft were to scan links within files, they would face another challenge: they could not blacklist the URL without blacklisting links to all SharePoint files. If they blacklisted the full URL of the Sharepoint file, the hackers could easily create a new URL by uploading a new file with similar content to SharePoint.”
Microsoft Replies, (Sort Of…)
Surprisingly, Microsoft has remained silent. Almost. In a very obscure place, a reply to a comment about an article about Advanced Threat Protection, Microsoft Security, Privacy & Compliance employee Debraj Ghosh wrote:
“Thanks for your comment. Do you have any actual samples that impacted your tenant where ATP is turned on and missed a PhishPoint threat? If so, please create a support ticket we’ll be happy to take a look.
“If you are just basing your comment because of the recent article, you should note that they do not mention any of our services and simply make a blanket statement that we don’t have protection for PhishPoint.
“ATP is designed to stop PhishPoint and does. The company that wrote that report has historically written blog posts to create Fear, Uncertainty, and Doubt (FUD) in Office 365 security to help market and sell their own products. We see one of their blogs on something that they claim Office 365 misses almost every month. It is nothing new, and it not true.
“Please reach out to your account rep who can go into the details on how Office 365 ATP is designed to protect against PhishPoint. You can also read our support article here:
The support article discusses how ATP identifies and isolates malicious files, including SharePoint files.
We contacted Avanan and the article’s author, Reece Guida. He replied in an email that, “You’re absolutely right: Microsoft does identify malicious SharePoint files. From what we observed on our end, however, it seems that Microsoft did not scan the links contained inside those files. This explains how the hacker planted the malicious link within a clean SharePoint file.” In other words, Avanan is sticking by its story.
We were unable to arrange an interview with Microsoft by our deadline. Perhaps someday the truth will come out.