New phishing campaign using SharePoint as bait to steal Office 365 credentials

News by Jay Jay

Cyber-criminals are targeting users of Office 365 in a phishing campaign that relies on innocent-looking URL links to trick even security-savvy users into clicking.

Attackers using Office 365 features to phish victims (Pic: Erlon Silva/TRI Digital/Getty Images)

While it is certainly not the first attempt by cyber-criminals to hijack credentials of Office 365 users, security researchers have observed a new phishing campaign that involves hackers tricking employees into sharing their Office 365 credentials by inviting them to collaborate in SharePoint.

According to researchers at Kaspersky Lab, the phishing campaign has been going on since at least last summer and may have targeted at least 10 percent of employees at organisations that use the Microsoft Office 365 service.

Cyber-criminals behind the phishing campaign are sending emails to Office 365 users and requesting them to collaborate in SharePoint, a popular web-based collaborative platform that integrates with Microsoft Office. The emails do contain links that point to documents in OneDrive for Business, but in fact, redirect Office 365 users to a phishing site that masquerades as the Microsoft Office 365 login page.

According to the researchers, those behind the phishing campaign have been taking advantage of the fact that the trust factor within corporate workspaces is greater than the trust given to external sources, making employees more likely to click on web links and download shared documents.

Once the victim has entered their Office 365 login credentials on the phishing website, the credentials are stolen by criminals who may use them to gain access to email accounts and accounts on cloud platforms, and may also access confidential enterprise and customer data. They may also use employee names and project information to carry out spear-phishing attacks.

While the loss of employee credentials and enterprise data to elaborate phishing campaigns may seriously hurt businesses, what's even more worrying for organisations is that such phishing emails are not flagged by email filters as links contained in them point to a document in a trusted workspace.

According to Kaspersky Lab, the best way to guard against such phishing attacks is to educate employees about such tricks employed by cyber-criminals, to ask them to regard emails from unknown sources with suspicion and to deploy endpoint solutions in every employee workstation.

"These types of attacks are very common and have been occurring for years. Once an attacker finds out that one employee is using Office 365 it is easy to assume the entire company is using Office 365 and with a very simple algorithm you could easily create an entire company target list to try and abuse," said Joseph Carson, chief security scientist at Thycotic.

Carson told SC: "Stealing credentials is one of the top ways for cyber-criminals to gain access to organisations networks to steal sensitive data, email access continues to be a main target as it is one foot in the door and allows the attacker to discover what services and what security is in place that attempts to prevent them, which in turn, allows them to find ways to bypass security."

He added: "Most email filters will capture poorly constructed email phishing scams but many are still getting through so it is important to not rely solely on email filtering to keep cyber-criminals out of your organisations email and sensitive data."

To defend against such attacks, he recommends that businesses adopt a balanced approach between both strong technology and employee training. Such an approach should include implementing a strong privileged access management solution, ensuring email distribution lists are not accessible from external sources, alerting employees when emails do come from external sources and empowering employees to speak and report when they identify suspicious activity.

Crane Hassold, senior director of threat research at Agari, told SC that the tactic employed by cyber-criminals to carry out this phishing campaign is similar to the frequently-employed "docuphish" technique where links to a phishing page are hidden inside of a benign-looking PDF document.

"In both cases, threat actors are looking to bypass security filters that scan the content of inbound emails for malicious links. One of the biggest dangers of these SharePoint phish is, because they actually lead to a real SharePoint document, the URLs look completely legitimate even when you hover over the link, which is a core principle taught to employees through security awareness training," Hassold said.

He added: "Additionally, since a legitimate SharePoint URL will likely be trusted by most filters, there are generally not going to be any red flags in the original email when it's screened on its way to an inbox. It's not until you analyse the SharePoint document that you are able to identify malicious artifacts, namely the phishing site URL.

"This is similar to the reason some phishers embed shortened URLs within a phishing email rather than a link directly to a phishing site. On its face, a shortened URL is benign, but the ultimate landing page is malicious. In order to defend against these types of attacks, solutions that look beyond simple content analysis or those that also analyse the content of an initial link's final destination would be most effective."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews