Hackers have become so skilled that they don’t need you to give up your credentials to hack into your account. One recent cyberthreat targets users of Microsoft Office 365. You don’t want to be the next victim, so read up.
A phishing scam that harvests users’ Microsoft Office 365 credentials
The latest cyberattack on Microsoft Office 365 involves harvesting users’ credentials. Scammers use this previously unseen tactic by launching phishing messages, asking to click on an embedded link. What makes this scam more insidious than traditional phishing scams is that the URL within the message links to a real Microsoft login page.
How does it work?
The phishing message resembles a legitimate SharePoint and OneDrive file-share that prompts users to click on it. Once they do, the Office 365 login page loads and asks them to log in if they haven’t already.
After they’ve logged in, they grant permission to an app called “0365 Access.” Users who grant permission effectively give the app and the hackers behind it complete access to their Office 365 account.
This technique can easily trick lots of users since the app that requests access is within the Office 365 Add-ins feature. That means that Microsoft essentially generates the request for permission. No, Microsoft is not aiding hackers to breach systems. Rather, the scam is possible by a feature that allows users to install apps that aren't from the official Office Store.
Ways to protect your Microsoft Office 365account — and your business
Given their fairly advanced approach, these scammers could effortlessly prey on careless employees. There are ways to make sure that doesn’t happen.
- Always check the email’s sender account before clicking on any link or granting apps access.
- Implement a policy that prevents staff from downloading and installing apps that are not from the Office Store.
- Regularly conduct security awareness training that covers essential cybersecurity topics. Educate employees on how to spot phishing scam red flags. For example, unknown senders, grammatical and typographical errors, suspicious requests, and the like. Increase their knowledge about more sophisticated attacks and keep everyone informed about current and future cybersecurity risks.
Successful attacks could result in an unimaginable catastrophe to your company. For tips on how to spot scams and how to plan thorough security practices, contact our experts today.