Beware of Phishing Attacks This Holiday Season

With this new phishing threat, an attacker compromises a user's account, gains access to their contacts and sends malicious links from legitimate domains. The email may contain an invoice, voicemail, or similar legitimate communication that mimics regular business practices and misleads you into thinking the message has come from a colleague or partner.

After an attacker compromises a SharePoint or OneDrive account, they upload a malicious file and change the account's sharing permissions to "public" so that anyone can access it. This malicious link is then shared with the compromised users' contacts or other targeted individuals. Sometimes the link is a unique redirect URL and so it can be difficult to detect, as it would not appear on any URL reputation repository.

Some attackers have strategically placed malicious content in one compromised account while using a second account – perhaps one belonging to an important or credible individual that one might expect communication from – to send the link. Even if the second tenant's compromised account is discovered, the malicious file hosted in the first tenant would not be taken down. And so, the attack would persist.

Other similarly abused cloud-based services include Sway, Dropbox, Google APIs, Google Docs, Google Drive, and Box.