New phishing attack tries to steal Office 365 credentials via Box

Researchers at cloud security platform Armorblox have uncovered a phishing attack that seeks to steal Office 365 login credentials.

So far, so predictable. The clever twist here though is that the initial page victims are taken to via the email link is hosted on cloud file sharing service Box, followed by a credential phishing page that resembles the Office 365 login portal.

The sender name and domain used belong to a legitimate company and this together with the use of Box helps the attack to evade detection and get through to people's inboxes. The emails are also constructed to encourage people to click, with a simple call to action -- Click here to pick up your documents -- and footer text that informs readers that the email link will only be active for a limited time, giving a sense of urgency.

"The first page in this attack flow was hosted on Box, leveraging the reputation of the Box domain to get past any filters used to block known bad domains," writes Arjun Sambamoorthy, co-founder and head of engineering at Armorblox on the company's blog. "The page looked like it was hosting a document that was shared over OneDrive, with plenty of Microsoft branding used to lull users into a false sense of security. The document displays 'Secured by OneDrive' on the top left corner, 'OneDrive for Business' emblazoned on the center, and 'Powered by Office 365' on the bottom left corner."

If users clicked the 'Access Document' link on the Box page, they were redirected to a page resembling the Office 365 login portal which would scoop up their credentials.

You can read more about the attack, including how it was detected on the Armorblox blog.

Image Credit: Maksim Kabakou / Shutterstock