The Microsoft Office 365 Scam You Probably Haven't Heard Of
Updated: Oct 22, 2018
FIRST OFF: Before you even read this post, if you use Outlook, go to your Home tab, click the Rules dropdown, and select Manage Rules & Alerts. Check carefully any rules that are listed here. If you see any rules in this box that you did not set up, you may be the victim of the scam described below. Delete any rules you are not sure about. Then tell your IT department to set up Office 365 alerts to warn it any time a rule or forward is created on an Office 365 account. Got that? Good. Now proceed...
A nasty Microsoft Office 365 scam is making the rounds recently that you probably haven't heard of, but you might be an unwitting victim.
The scenario goes like this: You receive an e-mail message from someone with whom you are acquainted. It could be a vendor. Often, it is someone you work with. The key is that your information is an entry in their contacts list, and vice versa. The message typically asks you to review some attached PDF documents, or to approve an attached PDF invoice.
At this point, you might reply to the sender and ask if this message is legitimate, because you have no idea what he or she is talking about. Within moments, you get a response from your contact stating that, yes, in fact, this is a legitimate request to click the PDF and review the information. So you do. But before you can see the document, you are asked for your Microsoft Office 365 username and password. Which you then provide. The PDF either comes up or doesn't, but either way it doesn't matter, because you've given your Office 365 username and password to a malicious operator. When you email your contact that the information doesn't make any sense, you won't get a response.
The "hacker" is now using your username and password to log into your Office 365 portal. And what he or she can do from there is terrifying.
Imagine that you have all your proprietary information stored in Office 365, either in e-mail, OneDrive or SharePoint. The hacker now has access to everything. It can be copied, sold, and compromised, without your ever knowing, because as a default setup, there is no warning to you that anyone has logged into Office 365 as you, or from what location they are logging in.
Over the past year, this exact scenario has been playing out across organizations large and small, public and private, U.S.-based and international. It hits without warning, and is impervious to anti-spoofing measures because the malicious operator is, in fact, logged in as you, impersonating you as he or she interacts with your contacts to glean information from them.
Most often, after perusing your private files and SharePoint access, the operator will levy your contacts to send out PDFs as you and collect their Office 365 usernames and passwords. Whereupon, the whole process starts over again. And you were the gatekeeper. That's not a good reputation for your organization, and it could cost you business relationships.
To counter this method, Accurit recommends setting up Multi-Factor Authentication (MFA) on your Office 365 account.
What will MFA do? First, it will require a six-digit authentication code each time someone tries to log into the Office 365 portal or into Outlook on the Web. This code will be sent to your cell phone, so if you didn't request the authentication, you know someone is trying, and failing, to get your Office 365 information. This step alone will terminate most malicious attempts on your account.
MFA is not perfect, and it certainly isn't seamless to install. While applications like the Office 365 portal, the Outlook phone app, and Microsoft Teams will require the six-digit code at least once to set up, programs like Outlook Desktop and Skype Desktop require a more-complicated app password to configure the first time. For existing users, that can be frustrating and confusing until everything is working properly under MFA. The benefits, however, far outweigh the frustration. Particularly when your proprietary information is at risk.
Interested in learning more? Contact us to start the conversation.