Phishing campaign uses SharePoint to bypass Symantec email gateway

News by Rene Millman

Highly targeted phishing campaign discovered bypassing a Symantec email gateway using documents shared via SharePoint to target the victims in the banking industry.

A highly targeted phishing campaign was recently discovered while bypassing a Symantec email gateway using documents shared via SharePoint to target the victims in the banking industry.
SharePoint is cloud-based file synchronisation and storage service developed by Microsoft. According to a blog post by researchers at Cofense, using enterprise services like SharePoint almost guarantees the phishing URL will be delivered to the intended target.
Researchers said that the phishing emails are  sent from a compromised account asking the recipient to review a proposal document by clicking on an embedded URL. This URL has been wrapped by Symantec’s Click-time URL Protection and redirects the recipient to a compromised SharePoint account. 
"SharePoint is the initial delivery mechanism to deliver a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology," said researchers.
Then, the URL in the email body delivers the recipient to a compromised SharePoint site where a malicious OneNote document is served. The document is illegible and invites the recipient to download it by clicking on yet another embedded URL leading to the main credential phishing page, according to researchers.
The victim then sees a fake web page impersonating the OneDrive for Business login portal. There the recipient is given two options to authenticate: with O365 login credentials or credentials from any other email provider. 
"We see this tactic quite often, as it increases the chances that the recipient will log in," said researchers.
When files are downloaded from the compromised server, the credentials from the phishing form are posted by login.php. Login.php posts the harvested credentials via email to [@]gmail[.]com, which researchers assume is another compromised email account.
Other files from the compromised server give clues to the attack’s origins. A readme file instructs the operator on how to configure and install the phishing page onto a compromised webserver. Researchers identified that the phishing exploit kit is part of a series of "hacking tools" built and sold by BlackShop Tools.
Stuart Sharp, VP of solution engineering at OneLogin told SC Media UK that these attacks are just another example of the creativity of malicious actors. "Attackers know that a significant number of organisations are not taking a strong enough stance when it comes to access security. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services and CRMs," he said.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that the use of Sharepoint and other cloud services to host and evade security controls continues to rise. 
"As criminals get more wary of what works and what doesn't, phishing techniques continue to evolve to evade technical defences. This is why it is vitally important that enterprises train their employees to be able to spot phishing emails, so that when these mails do bypass mail filters, the users are another line of defence," he said.
"But it's not enough for users just to be able to spot suspicious emails, there needs to be a mechanism through which they can report them so that security teams can investigate further, and where there is a threat identified, ensure that no other instances are making it through to unsuspecting users."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews