A recent spate of phishing attacks has seen criminals stealing passwords for business Office 365 accounts. The criminals are then using compromised email accounts to target the victim’s contacts. We have seen an increasing number of SMEs caught out by this over the last two months. Find out how to recognise and respond to these attacks by reading on.
The attacks begin with an email that you receive from a known contact. The email looks like other emails that you may have had from that contact, therefore it looks legitimate. The email encourages you to click on a link, just like many phishing attacks do. The linked web page asks you to sign in using Office 365. If you sign in, the criminals obtain your password and can log on to your email account. They then continue the attack by emailing your contacts from your email address, potentially damaging your reputation in the process.
The following screenshot is one example of these phishing emails that we have seen:
The victim is encouraged to click on a link to view a document that could not be attached to the email. If the victim clicked on the link, they were taken to a Microsoft sign in form like that shown below:
Strange links are a big giveaway for phishing attacks, however in this case the URL didn’t seem so strange: https://1drv.ms/.
The screenshot below shows another example of these phishing emails:
In this case the email mimics Adobe Document Cloud. Clicking the link took the victim to an Adobe Document Cloud sign in form like that shown below:
Notice that the sign in button says “Sign in with Office 365”.
These attacks are similar to many phishing attacks. The key factor to the success of these recent attacks is that they come from a known contact, rather than from a strange email address. The following list details some common factors to watch out for:
Firstly if you receive one of these emails, or a similar email that seems strange, don’t click the link and definitely don’t sign in! We recommend you verify that the email is legitimate, ideally by contacting the sender on a known phone number. Remember that if criminals were able to send a strange email, they could have altered the phone number shown in the sender’s email signature.
If you clicked one of these links and typed your password, or if a contact reported that they received a strange email from you, then you need to investigate and take steps to protect your business.
Firstly, you should change your password to stop the criminals accessing your account. You should also change your password anywhere else where you use the same password. We recommend using a password manager to help avoid password reuse.
Next, you need to investigate the extent of the breach and ensure the impact is remediated. For example: In many cases the criminals have attempted to maintain access to their victim’s email by configuring auto-forwarding rules that may allow them to continue receiving your emails and sending emails from your email account.
We recommend reviewing and tightening the security of your Office 365 configuration to significantly reduce the chance of a compromise. The following are some ways you can improve your Office 365 security:
If in doubt, contact us. We can help you to secure your Office 365 environment or, in the unfortunate event of a data breach, we can help you to investigate the full impact of that breach and protect your business going forwards.