In a recent tweet, Microsoft’s security intelligence researchers revealed that attackers used fake sender addresses and Microsoft SharePoint files as bait in a recent phishing campaign with the goal of spoofing victims’ credentials. The campaign targeted organizations using Microsoft Office 365 by using SharePoint’s file sharing capabilities. The campaign, which spoofed the sender address of the targeted username and also impersonated a legitimate service, was more subtle than usual and attempted to bypass email filters, the researchers said.
The attackers used Sharepoint files as decoys by sending emails and including messages, the researchers said. The current campaign uses various themes as bait, and the criminals are rampant.
The email alerted recipients that there was a request to share a file, this person may be a colleague they missed, and included a link to a phishing page in the file. To make the letter appear more authentic, the document is also said to contain some legitimate type of business content, such as employee reports, bonuses or price lists, the researchers noted.
If a user takes the bait, he or she ends up being directed to a phishing page that asks them to log into Office 365 with their legitimate credentials, Microsoft said.
Given its widespread use among many enterprise and commercial customers, the SharePoint collaboration platform is now a popular target for threat actors.
Dora Tudor, a cybersecurity researcher at Heimdal Security, points out that leveraging sharepoint’s file-sharing capabilities in particular, combined with a bit of spoofing, is now a particularly effective way to steal victims’ credentials.
“When it comes to email scams, you might think that if you receive an email from a trusted entity, you can trust it to be safe, but unfortunately, Any link present in the email could end up infecting you with malware.”
While this latest attack is generally stealthy, there are some signs that something is not right, according to Microsoft.
They noted on Twitter that a variation of the word “referral” was used in the original sender’s address, as well as various top-level domains, including com, commonly used in phishing campaigns.[.]com domain name.
Other clues to the campaign were found in URLs it used that directed potential victims to phishing pages and then tricked them into entering credentials, the researchers said.
The attackers mainly used two URLs with malformed HTTP headers, they said. The main phishing URL was a page stored on Google’s servers that pointed to an AppSpot domain that required users to log in and served an Office 365 phishing page in another Google content domain.
The second URL used in the activity was found in the notification settings. According to Microsoft, the URL pointed to a compromised SharePoint site that attackers could use to increase the legitimacy of their attacks. Both URLs require potential victims to log in to the final page, the researchers said.
The researchers made a query service available on GitHub that ran through Microsoft 365 Defender to flag any emails from the campaign. The emails may have successfully bypassed other cybersecurity tools, they said.