Office 365 Phishing Attack Advisory

Over the last week, Integrity360 has been investigating a number of Office 365 based phishing attacks affecting our enterprise client base and we would like to advise all of our clients to be vigilant about this specific threat.

The Threat

We understand that a number of senior executives across UK & Irish businesses have received a phishing emails sent from a known contact of theirs. It is our belief that the contact doesn’t knowingly send the phishing email, and that they were in fact also a victim of a phishing attack, hence unaware that their mailbox has been compromised. The phishing email is disguised as a Microsoft Office 365 notification, prompting the user to click on a link to open a file (e.g. “Open File.pdf”). The email attempts to entice the user to click the link with tag lines such as “Office 365 shared an important file with you via SharePoint” or “<name> has shared a file with you”. Upon clicking this link, the user is directed to a fake Office 365 account sign-in page. Here, any credentials submitted to the fake site are transmitted to the attacker, before re-directing the user to the real Office 365 sign-in page.

Having received login credentials, the attacker then launches an almost identical phishing email from that mailbox to spread the campaign further. The victim may not be aware of the attack unless they receive a number of failed email notifications. Although in the instances Integrity360 have investigated there has been no evidence of further damage, there is the very real potential any compromised credentials could be used access further systems or used to extract sensitive data directly from the compromised Office365 account.

It is important to note that in many cases, the phishing attempts have been targeted at the CEO of businesses. 

If you think you have been compromised

It is important to reset the passwords on any accounts that you suspect has fallen victim to a phishing attack, immediately.

Our Recommendations

• Advise users to be extra cautious when being asked to click links or open attachments from an untrusted source. If in doubt, have the IT team check the authenticity of the email. It should be noted that emails can be spoofed and appear as they are from a legitimate source. If in doubt, call the sender to ensure they sent the email.

• Advise your CEO/senior executives to be extremely vigilant of suspicious emails that may look like they came from senior executive accounts, both internally and externally.

• Reset the passwords on any accounts that have fallen victim to a phishing attack.

• Implement two-factor authentication for all users.

• Set up a user awareness testing and training programme. User awareness testing involves simulating phishing attacks and monitoring the actions taken by users. This can highlight weaknesses in email security as well as how susceptible users are to attack. Running this in conjunction with a user awareness training programme allows performance metrics to be gathered over time to understand if awareness is improving.

• Ensure an incident response procedure is in place for dealing with threats such as phishing attacks and malware.

Phishing attacks are a common technique used by cyber criminals to achieve initial compromise of an organisation, therefore it is paramount that a user awareness testing and training programme is set up to help users identify phishing attacks and report anything suspicious. Furthermore, with passwords seen as a high value target, it is important to implement two-factor authentication, especially with cloud services such as Office 365. With two-factor authentication, the user must use both a password and a token (such as a text message or code from a smartphone app) to log into their email service.

If you would like more information or advice on this threat please email