New Office 365 phishing attack uses malicious links in SharePoint documents

Fake emails targeting Office 365 users via malicious links inserted into SharePoint documents are the latest trick phishers employ to bypass the platform’s built-in security, Avanan researchers warn.

The cloud security company says that the phishing attack was leveraged against some 10% of its Office 365 customers in the past two weeks and they believe the same percentage applies to Office 365 globally.

About the PhishPoint attack

“The victim receives an email containing a link to a SharePoint document. The body of the message is identical to a standard SharePoint invitation to collaborate,” the researchers explained.

“After clicking the hyperlink in the email, the victim’s browser automatically opens a SharePoint file. The SharePoint file content impersonates a standard access request to a OneDrive file, with an ‘Access Document’ hyperlink that is actually a malicious URL.”

Office 365 phishing SharePoint

As you may guess, the malicious link leads to a spoofed Office 365 login screen, ready to harvest login credentials.


The company touts its security solution as a good way to catch these types of attacks, since Microsoft doesn’t scan attached files hosted on their other services such as SharePoint and, in any case, wouldn’t be able to blacklist these URLs without blacklisting links to all SharePoint files.

But companies can also implement multi-factor authentication to secure their employees’ Office 365 (and other) accounts and invest in anti-phishing training programs.

“Like many of the more nuanced instances of phishing we analyze, these attacks were designed to be visually indistinguishable from obviously work-related emails that appear safe,” the researchers pointed out, and advised users to be skeptical of emails with URGENT or ACTION REQUIRED in the subject line, be suspicious of URLs in the body of the email and, when presented with a login page, to check whether its URL is actually hosted by the legitimate service.

But, as they noted, if this attack involved links that would trigger a malware download rather than direct to a phishing page, the attack would have caused damage by the time the user clicked and investigated the URL.

Don't miss