Phishing campaign targets victims with hacked SharePoint
Cybercriminals avoid email filters by using compromised SharePoint accounts
A dangerous new phishing campaign has been uncovered that uses compromised SharePoint sites and OneNote documents to trick potential victims from the banking sector to visit their landing pages.
The cybercriminals behind the campaign have chosen Microsoft's web-based SharePoint collaborative platform to launch their attacks because the domains it uses are often overlooked by secure email gateways and this allows their phishing messages to actually reach users' inboxes.
After compromising a SharePoint account, the attackers use that account to send an email to potential victims in which they ask them to review a legal assessors proposal via an URL embedded in the message. This new phishing campaign was discovered by researchers at Cofense who explained why its tactics are so effective in a blog post, saying:
- Cofense: Why it’s time for everyone to defend against phishing
- One trillion phishing emails sent every year
- Hackers launch phishing attack disguised as DocuSign document
“SharePoint is the initial delivery mechanism to deliver a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology.”
Hiding in plain sight
The URL in the initial message sends users to an attacker-controlled SharePoint site where a well-made fake OneNote document made to be illegible asks the targets to download the full version using an embedded link. However, this link actually sends bank employees to the attacker's phishing page.
On the phishing page, targets see a web page impersonating the official OneDrive for Business login page with a message above the login form which reads: “This document is secure, please login to view, edit or download. Select an option below to continue”.
From here, users are given the option to login with an Office 365 account or with their account from any other email provider. This way if a user is unwilling to give up their Office 365 credentials, the attackers will still get access to another one of their accounts.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Once a victim inputs their login credentials, they are collected automatically by the BlackShop Tools phishing kit used in the campaign and available for sale on the dark web.
To prevent falling victim to a phishing attack, it is recommended that you avoid opening emails from unknown contacts and carefully scrutinize the URLs of the websites you visit.
- We've also highlighted the best antivirus software of 2019
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.