Consent phishing attackers targeting Office 365 users

A clever phishing campaign spotted by Microsoft security researchers

Microsoft revealed that scammers are getting more innovative - new phishing campaign on the way

An alert has been issued to Office 365 users and admins by Microsoft’s Security Intelligence team to be careful of phishing emails. These emails contain original sender email addresses, their target’s usernames, and display names that look like legitimate services.

What makes this attack sneakier than usual is that victims think they got an email from their boss or co-worker with a “file share” request to access workplace documents like “Staff Reports,” “Price books,” etc. Combining this with Microsoft logos makes it almost indistinguishable from the real thing.

The email contains two URLs that require sign-in to get to the final page, which allows them to bypass virtual machines in which potentially unsafe software does not affect local applications. One of the URLs is a Google storage resource that redirects the victim to an AppSpot domain which suggests signing in to their account^[1]. After this, the user is met with a different Google User Content domain with a bogus Office 365 page. The second URL links the user to a SharePoint site which then makes them vulnerable.

This phishing attack is not created to steal user’s login information. By making the victim click “accept” to a “file-share” request, attackers seek to obtain valuable data like their email, files, contacts, notes, and profile.

Phishing attack prevention by Microsoft

Increased use of cloud applications has shown that improving application security is important. Microsoft has a phishing protection feature for Office 365 called “Safe Links” defender, which detects an unsafe link by using filtering technologies, IP, and URL reputation systems.

This email filtering system is being constantly updated to ensure that protection is being provided to Office 365 users. “Safe Links” also makes it available for organizations to investigate using their hunting capabilities by providing rich data^[2]. If you see a phishing scam email, you can also report it to Microsoft.

Educate your organization on consent phishing tactics

There are steps you can take to protect yourself and your workforce from consent phishing attacks.

If an email has incorrect spelling and grammar, it is likely to be dangerous. You also have to look at domain URLs. Often scammers use spoof app names, making them look like legitimate ones but then redirect users to malicious apps where they ask for consent. Make sure to contact a person by using other apps if the message appears to have come from someone you know^[3].

You can also promote and allow access to apps you trust, such as applications developed by your organization. Promoting applications that have been “publisher verified” helps end-users and admins understand if an application is authentic.

By understanding what data and permissions an application is requesting, you can ensure that administrators will know how to manage consent requests.

If you have been successfully phished, you should change your passwords and create different ones for every account and enable two-step verification. If this affected your workplace, you should warn IT support of a possible attack^[4].