Microsoft Office is used by over one million companies worldwide—with 731,000 of those companies based in the US alone. So, it’s no wonder why Microsoft accounts are such an attractive target for threat actors, as they provide a valuable attack vector into businesses.
Office 365, with all its users, devices, and applications, provides a rich, dense, and—most importantly—wide attack surface for threat actors to take advantage of. This is especially because of its cloud-based sharing platforms, that are rapidly being adopted by many companies and institutions for their ease of use and collaborative benefits—particularly during the height of the pandemic, when an exponential number of office workers were working from home.
Widespread reliance on these collaborative apps has led to an increase in attacks involving malicious links. These involve end users receiving links to shared files that appear legitimate—often via email-based phishing attacks—but that are actually gateways into allowing harmful malware into the company server. Notable instances of this have been found with SharePoint and OneDrive—widely-used collaboration tools that employees use to share files, collaborate on documents, schedule meetings, and more.
It’s a big problem too; in the first half of 2020 alone, Proofpoint detected an eye-watering 5.9 million emails that featured malicious fake SharePoint and OneDrive links. Proofpoint also reported that users were four times more likely to click on Malicious SharePoint links and eleven times more likely to click on malicious OneDrive links.
With this in mind, securing against malicious links in collaborative apps as best as possible is an imperative to keep your company’s data and information secure—especially when security protocols offered by Microsoft aren’t as robust as they can be.
Let’s get started.
How SharePoint And OneDrive Phishing Scams Work
So how do these attacks happen?
The Phishing Route
Malicious links are often disguised within phishing emails, with the sender posing as a trusted figure or company to trick the sender into clicking on the attached link. A range of tactics are employed to make the email appear legitimate—be it either technical or social tactics with legitimate-appearing names and domains to slip past defensive filters and go unnoticed to the untrained eye.
Phishing scams are often highly successful, with roughly 61% of all breaches stemming from an email. And, despite the foretelling of the dangers of receiving emails from dubious sources, SharePoint and OneDrive phishing scams via malicious links are usually quite successful simply because end-users tend to trust them more because they appear to come from an internal network rather than an external one.
For other phishing scams, attackers often rely on a tactic called “domain impersonation”, where they spoof a trusted domain to make an email appear legitimate. But with employees receiving the right security training, as well as becoming more internet savvy, end users are becoming more adept at detecting when a domain has been impersonated and, from there, can recognise the link as being malicious. However, for document sharing in OneDrive and SharePoint, this gets a little trickier as legitimate sharing links tend to look fairly complex, with a string of jumbled letters and numbers. Any impersonated version of the link wouldn’t look amiss and certainly be difficult to spot.
A recent variation of a OneDrive phishing scam involves recipients receiving an email from a spoofed email domain implying the email has come from a relevant sales team. The message is accompanied by a notification that a file has been shared with the user, waiting to be viewed. Upon trying to access the file, the user will be prompted to enter their Microsoft email credentials. After clicking the button that allows users to “view” the file, they will be redirected to a disguised GoogleForms page, where they are then required to enter their credentials.
Entering their credentials simply logs them into this GoogleForms page where they are then stored for later use. After being unable to access the supposed file, users are redirected and often left unaware that they’ve just unwittingly given their login credentials to threat actors.
Other scams involve requests to view documents such as Excel files marked “staff report”, “budget”, or other fairly innocuous and nondescript labels—with the files either taking users to a similar bogus login page or just providing a disguised request for the user to download harmful code.
The Account Takeover Route
If a threat actor can take control of a user’s account, they can then send sharing requests with malicious links to other users in the network with little to no issue. This increases users’ trust in the email because not only is the link coming from the internal network, but a trusted user as well.
In the event of account takeover, an attacker will upload the malicious file to the network and modify the sharing permissions, setting it to public. They will then share the malicious file via a link with the contact list of the compromised account or send the sharing request on to other specific users. Users are more likely to not question these requests because, after all, they’ve apparently come from a trusted source.
Utilizing account takeover to phish other users within a network is done with the aim of credential harvesting (which are often then sold onto other threat actors on the dark web who can utilize the credentials for their own attacks) or to instigate privilege escalation, whereby an attacker can target more high-ranking individuals within a network to gain control over their accounts and thereby further control over a network.
How To Prevent Malicious Links In SharePoint And OneDrive
Wherever there’s a technological trend, you can be sure that attackers aren’t too far behind. While threat actors taking advantage of the latest trends and subsequent vulnerabilities might be a universal constant, leaving your business open to threats doesn’t have to be.
Read on for our tool recommendations to make sure you stay one step ahead at all times.
Secure Email Gateways
Secure email gateways (SEGs) are best thought of as a complimentary layer of cybersecurity to your email encryption and other subsequent security platforms that are already in place.
SEGs offer more protection from malicious emails upon pre-delivery by scanning all incoming, outgoing, and internal mail at the gateway, doing an in-depth scan of all attachments and URLs for malicious or harmful content, or just content that doesn’t quite match with pre-configured policies. They can detect and block instances of malware, viruses, spam, and even denial of service attacks.
Interested? Check out our roundup of the best SEGs to find your perfect fit: The Top 11 Email Security Gateways
Cloud Access Security Broker
A cloud access security broker (CASB) is a cloud-based or on-prem security tool that is positioned between an organization’s physical network and any cloud infrastructure that it has. It functions as a secure gateway between the two, allowing for greater control over traffic and providing more extensive visibility into cloud application and network activity for admins.
So, how do they come into play here?
CASBs have a wide range of customizable security policies for admins to take advantage of. CASBs can include multi-factor or two-factor authentication, authorization, credential mapping, device profiling, tokens, alerts, single sign-on capabilities, encryption, and malware detection and prevention. API-based security protocols within CASB architecture can scan for sensitive data, policy violations, and malware.
They help admins be able to find exactly where company data is being stored in all applications across the network, when it’s being accessed, when that data is being transported, and where it’s going.
CASBs essentially offer further support and security in cloud applications where, without it, admins will struggle to gain full visibility. CASBs can detect malicious links and alert admins when data is being accessed or transported without authorization. CASBs are often deployed as an add-on to existing security protocols and tools.
There are plenty of vendors offering CASB solutions, so it can be hard to find what’s right for your business. Take a look at our guide: The Top 10 Cloud Access Security Brokers (CASBs).
Security Awareness Training
For all the technology in all the world, you just can’t beat the trained human eye. While you can have the most robust email security solutions in place (and believe us, we’re not saying you don’t need them), some phishing emails will still slip through because they’re just that—they’re just emails.
In instances of domain impersonation like we’ve seen in the SharePoint and OneDrive scams, while AI and machine learning are getting more adept at singling these attacks out, it’s very often down to the recipient to be able to spot these attacks in their inbox and respond accordingly to prevent them from harming your business.
This is where security awareness training comes in.
Security awareness training (SAT) is a training program for employees that educates them on cybersecurity. It blends visual and kinaesthetic learning through videos and quizzes to teach employees to spot potential cyberattacks as they emerge and how to respond accordingly, before testing them on their knowledge. As well as a range of useful topics, SAT guides employees through common phishing tactics, what their impact and damage can be, how to spot them, and what to do when they get one in their inbox.
The best security awareness training solutions are ones that are fun and engaging for users, and that are updated frequently with relevant and up-to-date information that covers the latest threats.
Another feature companies should look for when making a purchase should be SAT programs that include ongoing phishing simulations. Phishing simulations are based on real-world phishing attacks and designed to test how users will react to them in a real world—yet safe—setting.
Phishing simulations should come with a range of email templates and are highly customizable—making sure admins can customize them to fit their business. Emails can be timed to appear regularly or sporadically, testing employees’ reactions and knowledge. If they click a link, they are then taken to a safe site that lets them know they failed the simulation and can flag admins to assist with further training.
Read our round up of the best SAT vendors on the market:
- The Top 10 Security Awareness Training Platforms For Business
- The Top 10 Phishing Simulation And Testing Solutions
- The Top 11 Phishing Awareness Training Solutions
- The Top 10 Security Awareness Content And Development Solutions
Summary
As the way we work and do business evolves, so do threat actors’ tactics. Our migration to collaborative tools is a classic example of this, as we see an increase in targeted attacks that take advantage of critical security oversights in SharePoint and OneDrive.
But with the right protocols, policies, and tools in place—and configured correctly—your business can stay one step ahead of attackers while enjoying all the benefits the cloud and collaborative apps have, so your employees can work better together no matter where they are in the world.
