Microsoft’s Security Intelligence team has issued an alert to Office 365 users and admins to be on the lookout for a “crafty” phishing email with spoofed sender addresses. These emails are very convincing, and the attackers use several techniques to bypass phishing detection. Some of the techniques include an Office 365 phishing page, Google cloud web app hosting, and a compromised SharePoint site that urges victims to type in their credentials. The original sender addresses contain variations of the word “referral” and use various top-level domains. This phishing group is using Microsoft SharePoint in the display name to entice victims to click the link. The email poses as a “file share” request to access bogus “Staff Reports”, “Bonuses”, “Pricebooks”, and other content hosted in a supposed Excel spreadsheet. It also contains a link that navigates to the phishing page and plenty of Microsoft branding. The emails contain two URLs that have malformed HTTP headers, the first phishing URL relies on a Google storage resource that points the victim to the Google App Engine domain AppSpot. The second URL is embedded in the notifications settings which links the victim to a compromised SharePoint site. Both URLs require sign-in to get to the final page, allowing the attack to bypass which makes it sneakier than usual. Microsoft is taking action by proclaiming its ‘Safe Links’ Defender for Office 365 phishing protection feature that ‘detonates’ phishing email at the point a user clicks on a link that matches its list of known phishing pages.
