office 365

Defend against this new Office 365 threat

Some hackers have become so skilled that they don’t even need you to give up your credentials to hack into your account. One recent cyberthreat is targeted towards users of Microsoft Office 365. You don’t want to be the next victim, so read up.

A phishing scam that harvests users’ credentials

The latest cyberattack on Microsoft Office 365 involves harvesting users’ credentials. Scammers use this previously unseen tactic by launching a phishing message to users, asking them to click on an embedded link. What makes this scam more insidious than traditional phishing scams is that the URL within the message links to a real Microsoft login page.

How does it work?

The phishing message resembles a legitimate SharePoint and OneDrive file-share that prompts users to click on it. Once they do, they are taken to an Office 365 login page where they will be asked to log in if they haven’t already.

After they’ve logged in, they’ll be prompted to grant permission to an app called “0365 Access.” Users who grant permission effectively give the app — and the hackers behind it — complete access to their Office 365 files, contacts, and inbox.

This technique can easily trick lots of users since the app that requests access is integrated with the Office 365 Add-ins feature. That means that Microsoft essentially generates the request for permission. No, Microsoft is not aiding hackers to breach systems. Rather, the scam is made possible by a feature that allows users to install apps that are not from the official Office Store.

Ways to protect your Office 365 account — and your business

Given their fairly advanced approach, these scammers could effortlessly prey on careless employees. There are ways to make sure that doesn’t happen.

  • Always check the email’s sender account before clicking on any link or granting apps access.
  • Implement a policy that prevents staff from downloading and installing apps that are not from the Office Store.
  • Regularly conduct security awareness training that covers essential cybersecurity topics. Educate employees on how to spot phishing scam red flags (e.g., unknown senders, grammatical and typographical errors, suspicious requests, and the like). Increase their knowledge about more sophisticated attacks and keep everyone informed about current and future cybersecurity risks.

Successful attacks could result in an unimaginable catastrophe to your company. For tips on how to spot this and other nefarious scams and how to plan thorough security practices, contact our experts today.

Microsoft Office 365 to block Flash

A few weeks ago, Microsoft made an announcement to block future content that is embedded with Adobe Flash, Shockwave, and even their own Silverlight platform from Office 365. While the developers have their reasons for implementing this, they should have pulled this feature earlier to avoid many irate customers.

Microsoft recently announced plans to eventually stop the activation of Silverlight, Shockwave, and Flash content in Office 365. This is not just the developers disabling bugs with an option to click a link or button to look at content. Within a few months’ time, Flash will be gone from Office 365 for good.

What media will be affected once this is implemented?

Microsoft Silverlight and Adobe Flash or Shockwave content that uses Microsoft’s OLE (Object Linking and Embedding) platform and the “Insert Object” feature will be blocked. However, media that uses the “Insert Online Video” control via an Internet Explorer browser frame will not be affected by this change.

The following timeline shows the various changes that will take full effect by January 2019:

  • Controls in the Office 365 Monthly Channel will be blocked beginning June 2018.
  • Controls in the Office 365 Semi-Annual Targeted (SAT) Channel will be blocked beginning September 2018.
  • Controls in the Office 365 Semi-Annual Channel will be blocked beginning January 2019.

Why did the developers choose to take out the embedded content?

Microsoft pointed out various reasons for making their decision. It cited that malware authors have been exploiting systems through Word, Excel, and PowerPoint files with embedded content, and that most Office 365 users did not use or rarely use the controls anyway.

Aside from this, the developers at Microsoft decided to take action after Adobe announced that Flash would reach its end-of-life cycle by 2020. Silverlight was discontinued in 2016, where enterprise customers would have support for the medium until 2021.

For businesses that still need to look at or embed Silverlight- or Flash-based content in an Office 365 document, Microsoft has provided a support page to guide users on re-activating the controls.

As more websites are transitioning away from Flash in favor of HTML5, Microsoft’s once-popular platform has experienced a steady decline over the years. According to Google, Chrome users who loaded a single web page per day that has Flash media had gone down from an estimated 80% during 2014 to below 8% in early 2018.

For more information about utilizing Office 365 features and other IT related concerns, feel free to get in touch with us today!

Published with permission from TechAdvisory.org. Source.