A New Attack
Avanan is an Israeli security company that has a track record of pointing to Office 365 security and saying that it could be improved. In some cases, like their criticism of MTA-based email scanning a la Mimecast, I think they have a point. In others, I’m not so sure.
Take the “PhishPoint” episode, reported by Avanan to affect 10% of the Office 365 customers they work with. Avanan duly scales this number up to estimate that the problem affects the same percentage globally, or 13.5 million of the 135 million active Office 365 users (the last official number – likely higher by about 15 million now). I must be missing something here, because if 13.5 million Office 365 users had been attacked through a malicious SharePoint document, I think Twitter and other social media would be in global meltdown. And they’re not.
The attack involves an embedded URL in an email that leads to a real SharePoint document (presumably in an Office 365 tenant owned by the attacker) that invites the victim to sign into Office 365 to read the content of another document that’s shared in OneDrive for Business. The result is a dummy sign-in screen that looks like the regular Azure Active Directory sign-in, which is where the attacker gathers user credentials, presumably for later use to compromise their account, perhaps in a Business Email Compromise attack.
Will Users Notice the Flaws in the Attack?
I’m sure some people will be deceived by the scheme, but I’ve got to hope that the majority will notice signals like being taken from one document to another (odd when you think about how sharing works inside Office 365), followed by a sign-in screen whose URL has no connection to Office 365 and, in Avanan’s posted example, is flagged as “dangerous.” Perhaps the Office 365 customers that Avanan deals with are less well-trained, which is why 10% of them have been affected.
Joking apart, the report does highlight that malicious code can be introduced through infected documents. Solid user training to warn people about how attackers work should be given on an ongoing basis. Threats evolve all the time, so training needs to keep pace.
Read, Understand, Decide
Avanan’s business is based on convincing people that they need extra layers of security to keep Office 365 safe. Some of the reasons they advance are good, some are FUD (I thought this example was in 2016). The articles that they write about Office 365 security are worth reading (like “8 Security considerations when moving to Office 365“), if only to cause you to pause for thought and consider whether you need to do more to secure your tenant. But don’t take everything in face value. You understand your tenant better than anyone else, so always put the information presented by a third party into that context and then make decisions.
For more information about SharePoint Online and OneDrive for Business, read Chapter 8 in Office 365 for IT Pros. For more information about Advanced Threat Protection and Exchange Online Protection, see Chapter 17.