The phishermen are getting smarter, using better lures to catch ever smarter phish (in this case, you, as an Office 365, OneDrive, SharePoint, or Dropbox user).
Armed with better grammar and embedding your company name and email address within the email and images, and further, using authentic OneDrive or Dropbox URLs to link to, these latest scammers are luring users into providing their username and passwords to the scammers.
And, considering many users re-use usernames and passwords in lots of applications, capturing their OneDrive or Dropbox password then gives the scammer access to a trove of personal or company information, from which to profit from.
Like today’s most profitable scam — the “whaling” email impostor scam (a/k/a Business Email Compromise), these phisherman are patient, smart, and don’t make grammatical mistakes in their lure emails.
Here is how it works.
1. You receive an email from what appears to be from yourself or a familiar person, with a file to download; and the file name includes your company name and appears related to your business function. A real example is at this link (click here to view).
2. The message uses authentic Microsoft OneDrive, SharePoint, Dropbox or other logos and links.
3. The links to download the file directs to authentic Microsoft or Dropbox websites, for example attackers are using true-to-form Microsoft SharePoint Online-based URLs, which adds credibility and legitimacy to the email and link, since the user is being directed to a known-good hosting site. What makes this attack so evil is that even Microsoft didn’t see this one coming. While they scan emails for suspicious links and attachments, a link to their own SharePoint Online wouldn’t be considered malicious. And, since Microsoft isn’t scanning files hosted on SharePoint, they left attackers with an easy means to utilize the very platform on which they are trying to con users of their credentials.
4. When users click, they are shown a OneDrive prompt – the SharePoint file impersonates a request to access a OneDrive file (again, a known cloud entity), with an “Access Document” hyperlink that is actually a malicious URL.
5. Users are presented with an Office 365 logon screen. Here is where the scam takes place. Using a very authentic-looking logon page, the cybercriminals harvest the user’s credentials (username and password).
6. The cybercriminals are alerted they received a bite, they capture the user’s username and password, then start to access the user’s email and other accounts where they may have re-used this username and password. Chaos proceeds from there.
Tech Essentials strongly recommends:
a. Forwarding this article to your team, so they are aware. Ensure finance, accounting, HR, senior and junior staff that may be working on and sharing files are aware.
b. Create new policies; that files are sent shared using RMail “message level” encryption (RMail defaults to a one-time-password function). You can share files up to 1GB using RMail encryption.
Importantly, with RMail message level encryption, user’s default to one-time-passwords which makes it more secure — as these passwords will not provide access to any other corporate systems.
RMail is free to use in a base plan, so there are no barriers to getting started and installing RMail into your, and your staff’s, Microsoft Outlook or Gmail user interface.