Schooling A Sea of Phish Part 2: Enhanced Anti-spoofing technology in Office 365

If we are using "PhishPoint" as a generic term to refer to that infernal combination of breached EXO mailboxes and OneDrive SPO pages then yes, we see a lot of that. ATP misses a number of them during the EXO screening, and remediation does not detect all of those that get through and are tested later. The false negative rate fluctuates by week, and some are better than others. I should stress that the content hosted in a typical compromised SPO page is not itself malign but merely encourages the recipient to click on a link leading on to the phishing site hosted elsewhere. SPO site pages are far less of a problem, and I cannot recollect the last time I saw a bad one.

@Rishank - we use a simple EOP rule to catch OneDrive links:

... and Includes these patterns in the message subject or body: 'http\S*-myfiles\.sharepoint\.com' or 'http\S*-my\.sharepoint\.com

This omits tenancy site URLs. A second rule is required to go after links in attachments, and of course not all attachment types are traversable. An exception is needed if the recipient organisation uses OneDrive itself.

The predicate is easy; the trickier question is what action to take. Rejection is only an option for organisations that prohibit their recipients from using other tenancies' storage. Regrettably EOP does not have a stripping action, and no system administrator is praised for creating additional administrative work. A pre-pended disclaimer is therefore possibly the best action, though familiarity with such warnings will often lead to recipient fatigue.