{"id":18296,"date":"2021-05-07T00:16:35","date_gmt":"2021-05-06T20:16:35","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/office-365-phishing-via-gdocs\/18296\/"},"modified":"2021-05-07T00:17:07","modified_gmt":"2021-05-06T20:17:07","slug":"office-365-phishing-via-gdocs","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/office-365-phishing-via-gdocs\/18296\/","title":{"rendered":"Google Docs used for Office 365 credential phishing"},"content":{"rendered":"

Since the onset of the COVID-19 pandemic, many companies have moved much of their workflows online and learned to use new collaboration tools. In particular, Microsoft\u2019s Office 365 suite has seen a lot more use \u2014 and, to no one\u2019s surprise, phishing now increasingly targets those user accounts. Scammers have been resorting to all sorts of tricks to get business users to enter their passwords on a website made to look like Microsoft\u2019s sign-in page. Here is another phishing scheme that makes use of Google services.<\/p>\n

Phishing letter<\/h2>\n

As most phishing schemes, this one begins with a letter (and link) similar to this one:<\/p>\n

\"A<\/a><\/p>\n

The unclear message from an unknown sender concerns some kind of deposit and includes a link having to do with \u201cDeposit Advice.\u201d The letter asks the recipient to check on the deposit type or confirm the sum. Now, although security systems alert recipients about the letter coming from outside the company, the link \u201cto the file\u201d passes muster because it connects to a legitimate Google online service, not a phishing site.<\/p>\n

Phishing site<\/h2>\n

The link leads to a location that appears to be the OneDrive corporate service page. Users can even see that the document is available to any company user (made so likely in hopes someone will forward the link to a corporate accountant).<\/p>\n

\"A<\/a><\/p>\n

But the screen users see is not truly a Web page; it\u2019s a slide from a Google Docs presentation that automatically opens in View mode. The Open button on it can conceal any link at all. In this case, the link connects to a phishing page disguised as an Office 365 sign-in page.<\/p>\n

\"Fake<\/a><\/p>\n

Red flags<\/h2>\n

To begin with, the letter looks weird. You should not trust \u2014 let alone forward \u2014 a letter whose source and purpose isn\u2019t clear. In this case, for example, if you weren\u2019t involved in a deposit, then perhaps you shouldn\u2019t be taking any action regarding that deposit.<\/p>\n

More evidence:<\/p>\n