wonderfully unique software solutions

More phishers target Microsoft 365 services via Google Docs

Phishing attacks are using Google Docs to steal Office 365 credentials through faked Microsoft sign-in pages, according to Kaspersky’s Roman Dedenok.

“Scammers have been resorting to all sorts of tricks to get business users to enter their passwords on a website made to look like Microsoft’s sign-in page,” he writes.

Typically, the latest attack begins by sending a phishing email that includes a Google Docs link and a vague message from an unknown sender about money, asking the recipient to click on the deposit type or confirm the sum.

Although security systems may alert the recipient, the link connects via Google Docs to a screen mimicking the Microsoft OneDrive corporate service page.

“Users can even see that the document is available to any company user — likely in hopes someone will forward the link to a corporate accountant,” writes Dedenok.

“The screen that users see is not a web page. It’s a slide from a Google Docs presentation that automatically opens in View mode. The Open button on it can conceal any link at all. In this case, the link connects to a phishing page disguised as an Office 365 sign-in page.”

Google Docs phishing scams are not new.

Kaspersky’s Dedenok indicates that companies should keep staff aware of potential threats and how to spot them on an ongoing basis, as well as adopting link-screening tools at corporate network and individual workstation levels. People should not trust messages with an unclear purpose, he says.

Other red flags in this case included the fact that emails from external sources don’t tend to link to a company’s internal documents and that real financial documents are set to open for specific people, not every single person in an organisation.

In addition, the filename in the letter does not match the one allegedly stored on OneDrive and anyway Google Docs doesn’t host Microsoft OneDrive pages. OneDrive is not Outlook, an Open button in OneDrive should not lead to an Outlook sign-in page, and the latter don’t reside on Amazon websites, notes Dedenok.

Read what Kaspersky has to say about the Colonial Pipeline ransomware attack — specifically, contact authorities promptly to reduce the potential damage.

( Photo by Solen Feyissa on Unsplash )

Recent Articles

RealVNC remote-access highlighted by six finalists for Raspberry Pi prize

RealVNC, maker of RealVNC Connect, has named six finalists for this year's RealVNC Raspberry Pi Prize with winner and runners-up to be...

Cyberattack climate entails customised firewalling, notes Stormshield

Firewalling at the edge is no longer enough so organisations increasingly need to combine suitable location with segmentation and zero-trust strategies that...

Palm vein biometrics market set to explode this decade

The market for palm-vein based biometrics has been forecast to expand in line with a compounded annual growth rate of 22.4% from...

Automox targets unsigned scripts with PowerShell signing capability

Endpoint management company Automox is unveiling Worklets Signing, which complements Worklets and Ask Otto with a view to helping companies dodge the...

Arista warns SMBs to take precautions against edge threats

Arista Networks, the vendor of Arista Edge Threat Management (ETM) has warned that SMBs aren't always aware of the extent of targeting...

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Weirdware monthly - Get the latest news in your inbox