This is a large scale phishing attack against Office 365 that we have been seeing across the majority of our Office 365 customers that takes advantage of Office 365's blindness to phishing attacks in which the URL contains special characters.
It started on August 2, 2017 and fakes a Dropbox file share email. The link that the hackers use in the email rotates, each time leading to another compromised site, but they all seem to lead to a fake Dropbox login page. It all looks genuine with one small change - a dot above the 'ȯ'.
The email subject looks like this:
Attached Via Drȯpbox - (Account_liquidation.Pdf)
Here's an example of where the link in the email leads to:
The Office 365 service has a notorious history of not detecting phishing attacks when the domain included special characters. For example, in Dec. 2016 we published the punycode vulnarability in domain name (https://www.avanan.com/resources/puny-phishing-office-365). A similar attack was then reported by other security vendors in March and April 2017 (http://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html).
This new one is yet another variation, this time the hackers are using special characters in the subject of the email, probably to bypass Microsoft's built in security that looks for known brands like 'Dropbox'.
Please warn your users and if you want to learn more about how Avanan tracks and blocks these attacks on Office 365 customers, you can reach us from the 'Get a demo' page.
Yoav and The Avanan Team.