We hope this message finds you well. We wanted to bring to your attention an emerging security concern that has been affecting a number of Office365 users. There has been a significant uptick in phishing attempts that seem to originate from legitimate SharePoint links and Microsoft Teams chat requests. These deceptive attempts are the result of compromised Office365 accounts.
To ensure the security of your data and prevent your employees from falling victim to such scam emails, it's crucial to understand and recognize the warning signs. Here are the clear red flags to watch out for:
Unknown File Sharer: If you cannot identify who shared the file with you, it’s best to err on the side of caution. Always avoid opening files from unknown or suspicious sources.
Vague File Details: If a file is shared without any prior context or an explanation of its content and purpose, consider it a red flag. Legitimate file shares typically have an associated conversation or context.
Mismatched File Types: Be cautious if the email mentions one type of file (e.g., a OneNote file) but the server displays another type (e.g., a PDF). This inconsistency is a clear sign of foul play.
Suspicious Download Links: If the download link redirects you to a third-party site that seems unrelated to your company or SharePoint, it's likely a phishing attempt.
Service Inconsistencies: Be wary if you're told the file is on a SharePoint server, but the interface or design closely resembles OneDrive. Remember, SharePoint and OneDrive are two distinct services offered by Microsoft.
Office365, SharePoint, and Teams administrators should also consider adjusting the following permissions:
- Allow all external domains - This is the default setting in Teams, and it lets users in your organization find, call, chat, and set up meetings with people external to your organization in any domain.
- Allow only specific external domains - By adding domains to an Allow list, you limit external access to only the allowed domains. Once you set up a list of allowed domains, all other domains will be blocked.
- Block specific domains - By adding domains to a Block list, you can communicate with all external domains except the ones you've blocked. Once you set up a list of blocked domains, all other domains will be allowed.
- Block all external domains - Prevents users in your organization from finding, calling, chatting, and setting up meetings with people external to your organization in any domain.
By staying informed and vigilant, we can collectively combat these deceptive practices and ensure the safety of our online spaces. Please share this information with your teams and consider providing additional training if necessary.
As the move through the coming week, we'll be building new detections and defenses around this particular type of attack. If you are a subscriber, those new detections will be automatically implemented.
If you have any questions or encounter any suspicious activity, please do not hesitate to contact our support team immediately.
Stay Safe,
Patrick Kelley