Office 365 Email PhishPoint Attack

PhishPoint is a new phishing attack method that is estimated to have affected up to 10% of Office 365 users worldwide at the time of publication.

Threat ID:: CC-2613
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 16 August 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

PhishPoint is a new phishing attack method that is estimated to have affected up to 10% of Office 365 users worldwide at the time of publication.

Threat details

Attackers send emails containing links that lead to a SharePoint document. This document appears similar to a OneDrive file access request, with a link saying 'Approve Document' at the bottom. This further link actually leads to a malicious URL spoofing the Office 365 login screen, enabling the attackers to harvest user credentials.

The emails are not blocked by Microsoft's security systems because the links they contain lead to SharePoint, and the links within SharePoint documents are not currently scanned.

Remediation steps

Type	Step
	A robust program of education and awareness training should be delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All day-to-day computer activities such as email and internet should be performed using non-administrative accounts. Multi-factor authentication should be considered to further protect user accounts. For further information on best practice, see How to Identify Malicious Communications Within the NHS, Reporting Suspicious, Unsolicited or Spam Emails Within the NHS and the NHSmail Cyber Security Guide.

Type

Step

A robust program of education and awareness training should be delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All day-to-day computer activities such as email and internet should be performed using non-administrative accounts.
Multi-factor authentication should be considered to further protect user accounts.
For further information on best practice, see How to Identify Malicious Communications Within the NHS, Reporting Suspicious, Unsolicited or Spam Emails Within the NHS and the NHSmail Cyber Security Guide.

Last edited: 17 February 2020 12:51 pm