New phishing campaign uses compromised SharePoint sites to bypass secure email gateways

• This phishing campaign uses SharePoint sites to target baking users’ with phishing URLs in order to harvest their login credentials.
• Researchers also identified a phishing exploit kit in this campaign, which is part of a series of “hacking tools” built and sold by BlackShop Tools.

What’s the matter?

Researchers from Cofense spotted a new phishing campaign that uses SharePoint sites to bypass secure email gateways and target banks with phishing URLs.

“Using enterprise services like SharePoint almost guarantees the phishing URL will be delivered to the intended target,” researchers said.

How does this campaign work?

Phishing emails disguised as proposal documents are sent to the banking targets from a compromised account.

• The emails include an embedded URL and urges the recipients to review the proposal document by clicking on the URL.
• Upon clicking on the malicious URL, the recipients are redirected to a compromised SharePoint site.
• The compromised SharePoint site serves a malicious OneNote document and prompts the victims to download it by clicking on another embedded URL.
• This URL redirects the victims to the actual phishing page, which is a fake OneDrive for Business login portal.
• Victims are given options to either log in with O365 login credentials or credentials from any other email provider.
• Upon login, the credentials are harvested and sent to the attackers’ email.

“The phishing page is a cheap imitation of the OneDrive for Business login portal. There the recipient is given two options to authenticate: with O365 login credentials or credentials from any other email provider. We see this tactic quite often, as it increases the chances that the recipient will log in,” researchers described.

Worth noting

Cofense researchers also identified a phishing exploit kit in this campaign. The exploit kit is part of a series of “hacking tools” built and sold by BlackShop Tools.