A new and highly effective phishing campaign has recently been discovered which uses hacked Microsoft Sharepoint sites and OneNote documents to fool its victims.
Targeting primarily employees of the financial and banking sector, the campaign is operating with remarkable (though unfortunate) success.
Hackers have chosen to use Microsoft’s collaborative platform as a base for their attacks because secure mail gateways often look past the domains it uses. This means significantly more messages are reaching the targets’ inboxes.
Initially found by researchers at Cofense, the attackers use false landing pages to steal login credentials from their victims.
How it works
The campaign sends phishing emails from a hacked Sharepoint account, one belonging to Independent Legal Assessors, a (legitimate) legal services firm based in London.
The email asks the potential victim to review a proposal document, found by clicking a URL within the email.
Clicking the link redirects the target to a compromised Sharepoint account housing a fake and illegible OneNote document. Here they are asked to download the complete document via an embedded link. This leads them to the landing page, a fake OneDrive for Business login page, with a message saying “This document is secure, please login to view, edit, or download. Select an option below to continue.”
The page offers two methods of authentication, Office 365 credentials or a username and password from another email provider. This is a clever touch as it drastically increases the chances of getting some form of login info from the victim, even if they don’t have or don’t want to use Microsoft credentials.
Should the target input their credentials, the phishing kit (sold to the hacker by BlackShop Tools) collects the information and delivers it to another hacked email account.
Why has it been so effective?
The hackers, by using Sharepoint as the first mechanism of delivery are able to deliver a secondary malicious URL not stored directly within the email. This means the malicious actors are able to avoid almost all email filtering technology. It is a feature of most secure email gateways to ignore/overlook any domains used by Sharepoint. A feature which is now a security flaw.
How to avoid it?
As with all phishing attacks, user engagement and security awareness proves to be the most important area of improvement.
By using simulated phishing and security awareness training, organisations are far better equipped to deal with these attacks. There will always be instances of phishing emails getting past the hardware defences, but a well-trained and vigilant employee is much less likely to fall for a falsified email.