Security researchers have found a new phishing campaign that can bypass multi-factor authentication (MFA) on Office 365 to access victims’ data stored on the cloud and use it to blackmail a victim into giving the attacker a Bitcoin ransom or even find new victims to target. Researchers at Cofense Phishing Defense Centre discovered the tactic, which uses a malicious SharePoint link to trick users into granting permissions to a rogue application.

MFA is used as an additional security measure to a user’s account in case someone has access to that account password and is usually in the form of a unique one-time password being sent to a user’s phone number.

The attack is different than a typical ‘credential harvester’. (tactic attackers use to steal people’s account details) In that, it attempts to trick users into granting permissions to the application, which can bypass MFA. The email used in the attack appears like a typical invite to a SharePoint hosted file; the file seemed to be offering information about a salary increase, creating a good lure.

After clicking on the link, users are taken to the legitimate Microsoft Office 365 login page. However, a closer inspection of the full, long-form URL showed that there are clues to its nefarious intentions that someone without technical experience might not notice. The entire URL used in the attack includes key parameters that show how the attacker can trick a victim into giving a rogue application permission to access his or her account.

If a user falls for the malicious SharePoint link and signs in, they then will be asked to confirm one last time that they want to grant the application the permissions it needs. This phishing campaign is evidence of attackers adapting and finding new ways to steal people’s credentials and use it for nefarious reasons.

This is more evidence that we always need to stay vigilant with everything we do online. With this kind of attack, it can be much harder to spot if the attackers are competent. Some of the tell-tale signs to look out for would be:
The URL of the website you are taken to, make sure the entire URL doesn’t contain any suspicious content and always check to see if it has a padlock.
Check and double-check that the email is from a legitimate address and if you are not sure then send it to your IT department.

At Cyber Wise we offer a range of training courses that can teach you and your employees how to spot the giveaway signs of a phishing campaign among various other courses that would be beneficial to you. If you would like to learn more, contact us today to find out how we can help.