A newly discovered phishing campaign aims to slip past perimeter security tools by using SharePoint to send malicious documents to victims primarily in the UK financial services sector.
Researchers with Cofense who disclosed the attack say the initial email comes from a compromised account belonging to Independent Legal Assessors, a legitimate legal services firm based in London. Recipients are asked to review a proposal document by clicking a URL embedded in the email, which redirects them to a compromised SharePoint account.
SharePoint serves as the initial mechanism to deliver a second malicious URL. Victims who access the compromised SharePoint site will see a malicious OneNote document, which they are prompted to download. This secondary step takes them to the main credential phishing page, which is "a cheap imitation" of the OneDrive for Business portal, researchers explain. Victims have two options to authenticate: either by using Office 365 credentials or a username and password for another email provider. The second increases the chance someone will log in.
Many automated defensive tools only go one layer deep, explains Cofense CTO Aaron Higbee. Because the first embedded URL comes from SharePoint and the email doesn't contain malware, it's not flagged as a threat. In Cofense's example, attackers wrapped the URL with Symantec Click-time URL Protection, but this tactic can be used to bypass many perimeter tools.
"A few years ago, we would've found it, but now the attackers use one layer to link you to another website," Higbee says. Most of the attackers' emails contain typically office communications. Some discuss legal summons or issues; others relate to billing and invoices.
phishing campaign sharepoint defenses
