Office 365 phishing now with fake SharePoint alerts

Employees using Microsoft Office 365 are targeted in a phishing campaign that makes use automated SharePoint notifications to steal their accounts.

The phishing emails delivered as part of this phishing campaign are addressed to all employees working at targeted organizations and have until now reached an estimated number of up to 50,000 mailboxes based on stats from email security company Abnormal Security.

What makes these phishing messages potentially dangerous is the fact that they’re using a shotgun approach, trying to trick at least one employee and then use their credentials to further compromise their employer’s systems.

Fake SharePoint alerts used as lures
The attackers behind this phishing campaign did their best to keep the phishing messages as short and vague as possible, and they also made it a point to include the targeted company’s name multiple times within the emails.

This strategy is supposedly designed to help induce a feeling of trust and make the targets think that the phishing emails were really sent from within their organization.

“In the email body, the recipient’s company name was also used numerous times to impersonate an internal document shared by this service,”.

“Recipients may be convinced that the email is safe and coming from their company because of the repetitive inclusion of the company name.”

The phishing messages’ goal is to make the targets click on an embedded hyperlink that sends them to a SharePoint themed landing page through a series of redirects.

This is where they are required to click on a button to download “important documents” mentioned within the phishing emails, a button that will either download a PDF that sends them to another website or that will redirect them to a submission form where they are asked to input their credentials.

If the targets fall for the phishers’ tricks, their Microsoft credentials will give the attackers’ full control of their Office 365 accounts, with their information to be stolen and used as apart of identity theft and fraud schemes such as Business Email Compromise (BEC).

“This places employees and their networks at considerable risk as attackers can launch internal attacks to steal more credentials and information from the organization”.

Outlook now stores signatures in cloud

This feature available for O365 Mailboxes only.

Microsoft plans to release an update for the Outlook for Windows client next month that will add the possibility to configure an email signature and have it saved in the cloud, rather than inside each Outlook installation.

Until today, a big issue with Outlook (and for that matter, all email clients) was the fact that users had to configure an email signature every time they’d install their email client.

When they reinstalled Windows or moved to a new device, users had to reconfigure the email signature, time and time again.

Starting with June 2020, Microsoft says that email signatures will be saved inside the user’s Microsoft 365 account, and loaded from the cloud for every email they send.

The feature will allow users to have a consistent email signature across all devices, and avoid situations where users send emails with outdated signatures.

The new feature, expected to arrive in June 2020 according to this Microsoft 365 Roadmap page, will be available only for Office 365 and Microsoft 365 customers, and will roll out first for Outlook for Windows clients. Other clients, such as Outlook for iOS and Outlook for Android, are expected to receive it at later dates.

Support for cross-device, centralized email signatures has been one of Outlook’s most requested features in recent years.

Microsoft Adds a feature to O365 Mailbox handling “Mass Reply” storm

Microsoft rolled out this week a new feature to Office 365 customers to help their IT staff detect and stop “Reply-All email storms.”

The term refers to situations when employees use the Reply-All option in mass-mailed emails, such as company-wide notifications.

If the number of recipients in the email chain is large, and if multiple employees hit the Reply-All button, then the ensuing event generates massive amounts of traffic that usually slows down or crashes email servers.

Such events happen almost all the time, and, at one point or another, a company is going to have email servers go down because of employees participating and amplifying Reply-All storms as a prank.

Microsoft, too, has suffered two such incidents already, the first in January 2019, and a second in March 2020. The Microsoft Reply-All email storms included more than 52,000 employees, who ended up clogging the company’s internal communications for hours.

The feature started rolling out this week to all Office 365 users worldwide. In its current form, Microsoft says the “Reply All Storm Protection” feature will block all email threads with more than 5,000 recipients that have generated more than 10 Reply-All sequences within the last 60 minutes.

Once the feature gets triggered, Exchange Online will block all replies in the email thread for the next four hours, helping servers prioritize actual emails and shut down the Reply-All storm.

Microsoft said it would also continue working on the feature going forward, promising to add controls for Exchange admins so they can set their own storm detection limits.

Other planned features also include Reply-All storm reports and real-time notifications to alert administrators of an ongoing email storm so that they can keep an eye on the email server’s status for possible slowdowns or crashes.

And since Microsoft has had its run-ins with email storms recently, its own network proved the best testing ground for the feature.

“Humans still behave like humans no matter which company they work for,” the Exchange team said this week. “We’re already seeing the first version of the feature successfully reduce the impact of reply all storms within Microsoft.”