A novel phishing scam relying on legitimate servers from Microsoft’s collaborative platform SharePoint has been targeting at least 1600 individuals across Europe, the US and other countries using a native notification mechanism.
Kaspersky security researchers described the findings in a new advisory published earlier today, adding cyber-criminals used the scam to steal the credentials for various email accounts, including Yahoo!, AOL, Outlook, Office 365 and others.
“The employee receives a standard notification about someone sharing a file,” wrote Kaspersky spam analysis expert Roman Dedenok. “This is unlikely to arouse suspicion [...] because it’s a real notification.”
Upon clicking on the link, victims are directed to a genuine SharePoint server hosting a OneNote file that includes another link: this one a malicious one.
“This link, in turn, opens a standard phishing site that mimics the OneDrive login page, which readily steals credentials for Yahoo!, AOL, Outlook, Office 365 or another email service,” Dedenok wrote.
According to Kaspersky, this is not the first time threat actors have used SharePoint-based phishing. However, the attack methodology is new as it hides the phishing link on a SharePoint server to then distribute it via the platform’s notification feature.
“This is possible because, thanks to Microsoft developers, SharePoint has a feature that allows you to share a file that’s on a corporate SharePoint site with external participants who don’t have direct access to the server,” explained Dedenok.
“All the attackers have to do is gain access to someone’s SharePoint server [...] That done, they upload the file with the link and add a list of emails to share it with. SharePoint itself helpfully notifies the email owners.”
To protect against this phishing campaign, Kaspersky recommends system defenders hold regular security awareness training for employees.
The phishing scam discovered by the company comes weeks after Menlo Security researchers shed light on a threat actor using OneNote to deliver malware.