Graphus detects sophisticated SharePoint phishing attacks

January 21, 2020

Recently, Graphus has detected several Microsoft SharePoint attacks for our customers. These are newer attack types that are extremely well crafted and difficult to detect. What this looks like for the recipient is the following.

The recipient receives an email with a link to a SharePoint document. The attacks  we’ve detected for our customers have been well crafted and look like a legitimate email requesting the recipient to login and review a SharePoint document.

Once they click on the link within the email, they are taken to a page that looks like a Microsoft OneDrive login.


When the recipient clicks on “Review Document” it then takes them to a screen that asks them to login with multiple options.


When the recipient clicks on one of these options, it takes them to a login screen asking for their credentials.


Having multiple ‘hops’ before reaching the page asking for credentials makes it difficult for standard detection solutions/methodologies.

How these attacks get past Office 365 & other security solutions

Microsoft Office 365 and other security products scan links in the emails looking for blacklisted or suspicious URLs. These cybercriminals are actually creating Office 365 accounts and enabling SharePoint, so when these emails come through, they have an actual SharePoint link/document. Because of this, Office 365 and other solutions  do not identify this as a threat.

How Graphus® is able to detect these attacks

Graphus® is powered by a patented AI technology we call the TrustGraph®. This TrustGraph® is made up of various technologies and algorithms that allow it to learn, adapt, and continually get smarter. Each organization has their own unique attack surface, our TrustGraph® learns about your attack surface and adapts to specifically protect your organization from social engineering attacks. Graphus® also doesn’t rely on traditional threat intelligence. Instead we have developed proprietary and patented algorithms that can not only detect previous attack types but also new, and even zero-day attacks. When you combine this with the ability to detect suspicious or malicious links through multiple hops, it makes for a powerful solution.