---
title: "One More Reason Why Office 365 is so Vulnerable to Phishing Attacks | Phish Protection"
description: "One More Reason Why Office 365 is so Vulnerable to Phishing Attacks: Office 365 comes with email security native to the application, but it must not be very."
image: "https://phishprotection.com/og/blog/one-more-reason-why-office-365-is-so-vulnerable-to-phishing-attacks.png"
canonical: "https://phishprotection.com/blog/one-more-reason-why-office-365-is-so-vulnerable-to-phishing-attacks/"
---

Quick Answer

According to \[CPO Magazine\](https://www.cpomagazine.com/cyber-security/microsoft-oauth-apps-the-target-of-cunning-new-phishing-attack/), "A new phishing attack is being used to steal user credentials from Microsoft SharePoint and OneDrive users. \_The attack method is reportedly designed to resemble an ordinary Office 365 permissions page \[and\] takes on the appearance of a credible Office 365 Add-In\_."

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fone-more-reason-why-office-365-is-so-vulnerable-to-phishing-attacks%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=One%20More%20Reason%20Why%20Office%20365%20is%20so%20Vulnerable%20to%20Phishing%20Attacks&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fone-more-reason-why-office-365-is-so-vulnerable-to-phishing-attacks%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fone-more-reason-why-office-365-is-so-vulnerable-to-phishing-attacks%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fone-more-reason-why-office-365-is-so-vulnerable-to-phishing-attacks%2F&title=One%20More%20Reason%20Why%20Office%20365%20is%20so%20Vulnerable%20to%20Phishing%20Attacks "Share on Reddit") [ ](mailto:?subject=One%20More%20Reason%20Why%20Office%20365%20is%20so%20Vulnerable%20to%20Phishing%20Attacks&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fone-more-reason-why-office-365-is-so-vulnerable-to-phishing-attacks%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2020/01/phishing-definition-7773.jpg) 

_Office 365 comes with email security native to the application, but it must not be very good_. How else can you explain the effort hackers put into **exploiting Office 365** users AND the success they’ve had doing it?

According to [CPO Magazine](https://www.cpomagazine.com/cyber-security/microsoft-oauth-apps-the-target-of-cunning-new-phishing-attack/), “A new phishing attack is being used to steal user credentials from Microsoft SharePoint and OneDrive users. _The attack method is reportedly designed to resemble an ordinary Office 365 permissions page \[and\] takes on the appearance of a credible Office 365 Add-In_.”

With this approach, hackers can make requests look completely legitimate, which makes them _almost impossible to detect by users, no matter how well trained they are_. “Using this tactic, the hackers are able to use the official Office 365 login page, login.microsoftonline.com, as the staging ground for their **phishing attack**.” This gets everyone to let their guard down.

Once the add-in receives the requested permissions, “_the hackers will then be able to fully access to the user’s Office 365 account._”

![Phishing definition](https://media.mailhop.org/phishprotection/images/2020/01/phishing-definition-7773.jpg) 

Interestingly, this same type of attack targeted over **one million Google Docs** users back in 2017, but Google’s response was impressive. “The company managed to protect its users and halt the attack within the space of only one hour by effectively locating and removing the accounts responsible.”

How did Microsoft do in this area? “In the case of the attack against Office 365 apps, the response does not appear to have been quite as decisively coordinated as it was in Google’s case.” So, _Office 365 is more vulnerable but Microsoft’s response is worse_.

The worst part of this exploit is that, because of the [email security native](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-email-security-reports) to Office 365, most users think they’re protected. Nothing could be further from the truth.

If you’re using Office 365 and all you have to protect you is their native email security, you’re a sitting duck. You need additional, third party email security to really protect yourself and your company.

![Phishing prevention](https://media.mailhop.org/phishprotection/images/2020/01/phishing-prevention-7774.jpg) 

Cloud-based [Phish Protection](/) is the perfect complement to Office 355 for email security. _It requires no hardware, no software, no maintenance and requires only **10 minutes to set up**. It works seamlessly with Office 365 or any other email platform_.

Phish Protection includes real-time link click protection, smart quarantine, malicious attachment blocking, display name spoofing protection and domain name spoofing protection. And the best part is, _it costs only pennies per user per month_.

Don’t be fooled into thinking you’re safe with Office 365\. You’re not. Don’t learn the hard way how inexpensive **Phish Protection** insurance would have been for your company. _Get [Phish Protection](/) and sleep well at night_.

## Topics

[ Office 365 ](/tags/office-365/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Intermediate 10m  Comprehensive Email Virus Protection For Office 365 Users  Oct 15, 2025 ](/blog/comprehensive-email-virus-protection-for-office-365-users/)[  Intermediate 4m  Do I Need Third-Party Phishing Protection for Office 365?  Aug 11, 2018 ](/blog/do-i-need-third-party-phishing-protection-for-office-365/)[  Intermediate 4m  The Latest MS Office 365 Phishing Scams To Be Aware Of!  Feb 17, 2021 ](/blog/latest-ms-office-365-phishing-scams-to-be-aware-of/)[  Intermediate 4m  Learn About the Latest Office 365 Phishing Attack Scheme  Dec 15, 2021 ](/blog/latest-office-365-phishing-attack-scheme/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"One More Reason Why Office 365 is so Vulnerable to Phishing Attacks","description":"One More Reason Why Office 365 is so Vulnerable to Phishing Attacks: Office 365 comes with email security native to the application, but it must not be very.","url":"https://phishprotection.com/blog/one-more-reason-why-office-365-is-so-vulnerable-to-phishing-attacks/","datePublished":"2020-01-29T11:50:42.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2020-01-29T11:50:42.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/one-more-reason-why-office-365-is-so-vulnerable-to-phishing-attacks/"},"articleSection":"intermediate","keywords":"Office 365","wordCount":442,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2020/01/phishing-definition-7773.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"One More Reason Why Office 365 is so Vulnerable to Phishing Attacks","item":"https://phishprotection.com/blog/one-more-reason-why-office-365-is-so-vulnerable-to-phishing-attacks/"}]}
```