Cyber attackers are slipping through the net of email filters under the guise of SharePoint user accounts they’ve compromised.
A new and dangerous phishing threat has recently been revealed that uses hacked Microsoft sites and documents in SharePoint and OneNote to hoodwink would-be victims in the banking industry to visit landing pages set up by cybercriminals.
Targets acquired by cyberattacks
The criminal minds behind the cunning campaign have selected Microsoft’s SharePoint platform based online as their target for a specific reason. The collaborative software uses domains known to be overlooked by the protective power of secure email gateways, which allows attackers to get the phishing messages into user’s inbox undetected. After the SharePoint account has been compromised, the cybercriminals make use of it to send out emails to their intended victims. The attacks take the form of a request to the recipient to read a proposal from a legal assessor through an embedded URL within the message.
Phishing threats uncovered
This latest phishing strategy was found by researchers at security specialist service Cofense. In a recent blog post, they commented on why phishing tactics prove so effective. They cite the sheer volume of attacks, which include one trillion emails sent to victims each year often using an imitation of a DocuSign document to trick users into giving up private and secure details.
Cofense commented on the weakness of SharePoint regarding secure email gateways:
“SharePoint is the initial delivery mechanism to deliver a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology.”
The URL embedded in the sent message directs users to a cybercriminal-controlled site in SharePoint. Once there, they discover a fake but highly plausible OneNote document, designed to be difficult to read to further confuse the victim and asks them to instead download the complete version by using the embedded link supplied. This link however, once used actually directs bank personnel to an attacker-controlled phishing page.
Once there, intended victims view a page imitating the OneDrive for Business official login page. Above the sign-in form, they’ll see a disclaimer that states the document is secure and invites them to login to edit, download or view it. If the target logs in with their credentials, they will be instantly collected by the cyber criminals.
If your company currently uses Software as a Service (SaaS) products from Microsoft like Office 365 or its collaborative platforms such as SharePoint, we can help keep you secure. At WM Reply, our expertise lies in using Microsoft technology to solve your business problems. We develop agile and bespoke solutions to benefit your business and ensure you intranet is running effectively and safely. To stay at the forefront of your industry, you’ll need all your people working together at the top of their game with the latest technology to carry out your task. To find out how we can help your business, contact our team today for advice and assistance.