SharePoint Phishing Attack on Office 365 Users

What is Phishing?

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, password and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

The cyber attack dubbed “PhishPoint” demonstrates the craftiness and extent cyber criminals will go to in order to harvest Office 365 credentials. Context can be a major influence in the success of any social engineering attack. For that reason, this latest attack uses several familiar aspects of Office 365 to lure victims into thinking everything is normal.

How it works:

  1. The user receives the malicious email usually containing “URGENT” or “ACTION REQUIRED” to instill a sense of immediacy to respond. The email contains a link to a SharePoint Online-based document.
  2. The link directs to a fake SharePoint. Attackers are using true-to-form SharePoint Online-based URLS, which adds credibility and legitimacy to the email and link.
  3. Users are being shown a OneDrive prompt. The SharePoint file impersonates a request to access a OneDrive file, with an “Access Document” hyperlink that is actually a malicious URL.
  4. This is where the phishing scam takes place! An Office 365 logon screen is being presented to users. Using a very authentic-looking logon page where the cybercriminals harvest the user’s credentials.

What makes phishing attack so evil is that even Microsoft didn’t see this one coming. While they scan emails for suspicious links and attachments, a link to their own SharePoint Online wouldn’t be considered malicious. And, since Microsoft isn’t scanning files hosted on SharePoint, they left attackers with an easy means to utilize the very platform on which they are trying to con users of their credentials.

Users stepped through new-school security awareness training have a better chance of spotting the telltale signs of online scams. In this specific phishing scam, several factors stood out:

  • The email was unsolicited and had a generic subject of “has sent you a OneDrive for Business file”
  • Opening the document required several user-initiated steps
  • The URL for the logon page wasn’t on the domain

In conclusion, phishing scams like this represent the risk associated with cloud-based applications. Using context and services users are familiar with, scammers can take advantage of the lowered level of alertness and gain access to corporate resources online – all without the organisation ever knowing.

Protecting your business

Your business connects with the outside world a thousand times a day. Phishing scams like this happen to millions of people globally every day. Therefore, protection matters. For more information on how to secure your business, please email, call us on 1300 770 035 or by visiting

Ready to Transform Your IT?

Contact us now to get started on your IT journey

Scroll to Top