Published on August 17th, 2018 📆 | 4065 Views ⚑
0Office 365 Phishing Campaign Hides Malicious URLs in SharePoint Files
iSpeech
Researchers have detected a new phishing campaign that mainly targets Office 365 customers to harvest their credentials.
The campaign, dubbed âPhishPoint,â is spread to victims via emails containing a SharePoint document and invitation to collaborate. However, when clicked, the file contains a malicious URL that snatches end usersâ credentials.
âPhishPoint marks an evolution in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-usersâ credentials for Office 365,â said Avanan researchers in a post about the phishing campaign, Tuesday.
Michael Landewe, founder of Avanan, told Threatpost that he first saw a sharp spike in the phishing campaign about three weeks ago: âIt has either started using a larger list of pre-compromised accounts, or it has hit a critical mass of compromised accounts,â he said. âOr, there is a new group using the method and not as careful as the first group.âSo far, the campaign has impacted 10 percent of Avananâs Office 365 customers â and researchers estimate that this percentage âapplies to Office 365 globally.â Microsoft did not respond to a request for comment from Threatpost on the new campaign.
Avanan researchers, who first discovered the campaign, said that the victim first receives an email containing a link to a SharePoint document. Victimsâ emails were most likely harvested via a previous attack or were purchased from other bad actors, Landewe said. The message purports to be a standard SharePoint invitation to collaborate.
After clicking the hyperlink in the email, the victimâs browser will automatically open a SharePoint file, the content of which impersonates a standard access request to a OneDrive file. The OneDrive file contains an âAccess Documentâ hyperlink which, in reality, is a malicious URL.
The link within the SharePoint file directs the user to a spoofed Office 365 login screen. When the user attempts to login, their credentials are harvested by the hacker.
âThis attack specifically targets Office 365 credentials,â Landewe told us. âOnce the user entered their credentials, they were redirected to a legitimate Office site where they would be none the wiser. If the new credentials were used, the attackers would upload a file into that personâs SharePoint account and send an invite from SharePoint (rather than from the userâs account).â
[adsense size='1' ]
âThe crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint,â researchers said in their post.Office 365 does scan links in email bodies to look for blacklisted or suspicious domains â however, because the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat.
In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs, researchers added: âThis presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks.â
Even if Microsoft did scan links within files, thereâs an additional challenge: The URL couldnât be blacklisted without blacklisting links to all SharePoint files. âIf they blacklisted the full URL of the Sharepoint file, the hackers could easily create a new URL by uploading a new file with similar content to SharePoint,â researchers explained.
Researchers believe that specific companies are being targeted. âWe have seen it in [Fortune] 500 companies in the U.S., as well as small, under-100-person companies in Europe,â said Landewe.
Phishing attacks continue to increase and adopt new tactics â and spam is increasing accordingly. A recent report this week by Kaspersky Lab found that spam email, in particular, remains a top phishing tactic. In the second quarter of 2018, the amount of spam peaked in May up to 51 percent; while the average share of spam in email traffic worldwide was 50 percent.
To protect themselves, researchers said there are basic good practices that companies can take, including being aware of any email subject line that capitalizes buzzwords for workplace stress (like âUrgentâ or âAction Requiredâ), and staying suspicious of any URLs that show up in the body
Gloss