Office 365 Phishing Attacks Targeting SMEs Near You

A recent spate of phishing attacks has seen criminals stealing passwords for business Office 365 accounts. The criminals are then using compromised email accounts to target the victim’s contacts. We have seen an increasing number of SMEs caught out by this over the last two months. Find out how to recognise and respond to these attacks by reading on.

Overview of the Attacks

The attacks begin with an email that you receive from a known contact. The email looks like other emails that you may have had from that contact, therefore it looks legitimate. The email encourages you to click on a link, just like many phishing attacks do. The linked web page asks you to sign in using Office 365. If you sign in, the criminals obtain your password and can log on to your email account. They then continue the attack by emailing your contacts from your email address, potentially damaging your reputation in the process.

Example 1: OneDrive

The following screenshot is one example of these phishing emails that we have seen:

Sample Office 365 phishing email.

The victim is encouraged to click on a link to view a document that could not be attached to the email. If the victim clicked on the link, they were taken to a Microsoft sign in form like that shown below:

Fake OneDrive sign in form.

Strange links are a big giveaway for phishing attacks, however in this case the URL didn’t seem so strange: https://1drv.ms/.

Example 2: Adobe Document Cloud

The screenshot below shows another example of these phishing emails:

Sample Office 365 phishing email.

In this case the email mimics Adobe Document Cloud. Clicking the link took the victim to an Adobe Document Cloud sign in form like that shown below:

Fake Adobe Document Cloud sign in form.

Notice that the sign in button says “Sign in with Office 365”.

Recognising These Attacks

These attacks are similar to many phishing attacks. The key factor to the success of these recent attacks is that they come from a known contact, rather than from a strange email address. The following list details some common factors to watch out for:

  • Strange or unexpected emails.
    • E.g. the email refers to an unknown project, proposal, or invoice.
  • Impersonal emails.
    • E.g. the email comes from a known contact but they did not greet you by name.
  • The recipient may be the sender (or undisclosed).
    • The email may use BCC to reach multiple recipients without revealing them.
  • The email contains a link where you are asked to sign in using Office 365.

Responding to an Attack

Firstly if you receive one of these emails, or a similar email that seems strange, don’t click the link and definitely don’t sign in! We recommend you verify that the email is legitimate, ideally by contacting the sender on a known phone number. Remember that if criminals were able to send a strange email, they could have altered the phone number shown in the sender’s email signature.

Responding to a Breach

If you clicked one of these links and typed your password, or if a contact reported that they received a strange email from you, then you need to investigate and take steps to protect your business.

Firstly, you should change your password to stop the criminals accessing your account. You should also change your password anywhere else where you use the same password. We recommend using a password manager to help avoid password reuse.

Next, you need to investigate the extent of the breach and ensure the impact is remediated. For example: In many cases the criminals have attempted to maintain access to their victim’s email by configuring auto-forwarding rules that may allow them to continue receiving your emails and sending emails from your email account.

Finally, report the incident to¬†ActionFraud. Also consider whether you need to report a data breach to the Information Commissioner’s Office and to the affected individuals.

Securing Office 365

We recommend reviewing and tightening the security of your Office 365 configuration to significantly reduce the chance of a compromise. The following are some ways you can improve your Office 365 security:

  • Enable multi-factor authentication (MFA).
    • With MFA enabled, a stolen password alone won’t result in a breach.
  • Enable auditing.
    • Audit logs help during the investigation of breaches, however they are not enabled by default.
  • Separate your administrators and users.
    • A compromised administrator account is much more serious than a compromised user account.
    • Do not use an administrator account to access emails or services such as OneDrive.

If in doubt, contact us. We can help you to secure your Office 365 environment or, in the unfortunate event of a data breach, we can help you to investigate the full impact of that breach and protect your business going forwards.