Security researchers have discovered a new phishing campaign which uses compromised SharePoint sites and OneNote documents to trick potential victims from the banking sector to visit their landing pages.
The cybercriminals behind the campaign have chosen Microsoft’s web-based SharePoint collaborative platform to launch their attacks because the domains it uses are often overlooked by secure email gateways and this allows their phishing messages to actually reach users’ inboxes.
After compromising a SharePoint account, the attackers use that account to send an email to potential victims in which they ask them to review a legal assessors proposal via an URL embedded in the message. This new phishing campaign was discovered by researchers at Cofense who explained why its tactics are so effective in a blog post, saying:
“SharePoint is the initial delivery mechanism to deliver a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology.”
Hiding in plain sight
The URL in the initial message sends users to an attacker-controlled SharePoint site where a well-made fake OneNote document made to be illegible asks the targets to download the full version using an embedded link. However, this link actually sends bank employees to the attacker’s phishing page.
On the phishing page, targets see a web page impersonating the official OneDrive for Business login page with a message above the login form which reads: “This document is secure, please login to view, edit or download. Select an option below to continue”.
From here, users are given the option to login with an Office 365 account or with their account from any other email provider. This way if a user is unwilling to give up their Office 365 credentials, the attackers will still get access to another one of their accounts.
Once a victim inputs their login credentials, they are collected automatically by the BlackShop Tools phishing kit used in the campaign and available for sale on the dark web.
To prevent falling victim to a phishing attack, it is recommended that you avoid opening emails from unknown contacts and carefully scrutinize the URLs of the websites you visit.