Phishing Campaign Spreading Through Office 365 OAuth

Phishing Campaign Spreading Through Office 365 OAuth

By Chris Brunau

A new phishing campaign is targeting Office 365 users through a phony OAuth. According to reports, the culprits are impersonating OneDrive or SharePoint files with a link to a shared document. The user is prompted to grant OAuth access which allows the malicious attack will gain access to personal information, stored files, emails, and more.

PhishLabs has offered some Office 365 guidelines to help users avoid malicious OAuth applications:

  • Incorporate content into your end-user Security Awareness Training that teaches how to examine ALL aspects of an email for red flags, not just URLs and sender’s address, as these may not be sufficient in phishing attacks where legitimate services are abused.
  • Incorporate remediation steps for this attack method into your incident response plan. Traditional methods of remediating compromised Office 365, such as password changes, clearing sessions, or activating multi-factor authentication (MFA), are not effective for this attack method.
  • Proactively review Apps or add-ins installed across your environment. For further information see Microsoft's tutorial on investigating risky apps.

To learn more about how you can protect your Office 365 data, check out Datto SaaS Protection. Engineered to be the leading, one-stop-shop for cloud-to-cloud SaaS application backup, SaaS Protection gives you consistently reliable granular backups, quick and easy restores and exports, secured data for compliance and regulatory needs, and world-class 24/7/365 support. Join the 3.5 million end users already protected by Datto SaaS Protection. Learn more today!

Suggested Next Reads

Subscribe to the Blog