Phishers behind a new campaign have switched to using compromised SharePoint sites and OneNote documents to redirect potential victims from the banking sector to their landing pages.
The attackers take advantage of the fact that the domains used by Microsoft’s SharePoint web-based collaborative platform are almost always overlooked by secure email gateways which allows their phishing messages to regularly reach their targets’ inboxes.
The emails sent as part of this new phishing campaign are delivered from compromised accounts and will ask the targets to review a legal assessors proposal via an URL embedded within the message as Cofense Cyber Incident Response researchers discovered.
Phishing email sample
“SharePoint is the initial delivery mechanism to deliver a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology,” found Cofense.
This URL links to an attacker-controlled SharePoint site created using a hacked account hosting a maliciously crafted OneNote document designed to be illegible and asking the targets to download the full version via an embedded link which actually sends the bank employees to the phishing page.
Once the targets reach the phishing landing page they see a web page impersonating the OneDrive for Business login page with a message displayed above the login form saying that “This document is secure, please login to view, edit, or download. Select an option below to continue.”
Malicious OneNote document
The options to choose are either to login with an Office 365 account or with an account provided by any other email provider, a popular phishing technique designed to harvest any type of credential if the target does not have or does not want to login with a Microsoft account.
After the victim inputs the credentials to login, they are automatically collected by the phishing kit sold by BlackShop Tools and used by this campaign’s operators, with the information being subsequently delivered to what looks like yet another hacked email account.
Indicators of compromise (IOCs) for this phishing campaign including IP addresses, URLs, and email accounts used by the attackers are available at the end of the Cofense report.
Phishing landing page
Different baits for different ‘fish’
Phishing groups have used a wide assortment of methods and techniques for harvesting their targets’ sensitive info during the last couple of months.
For example, last week attackers used fake resume attachments to infect their victims with Quasar Remote Administration Tool (RAT) malicious payloads, while another series of attacks used the Google Docs online word processor to deliver the TrickBot banking Trojan via executables camouflaged as PDF documents
One week earlier, Instagram users were the target of a phishing campaign using fake ‘failed login attempt’ warnings paired with bogus 2FA codes designed to make the scam more persuasive.
Another unusual campaign probed email inboxes this month with emails linking to its targets’ company-branded Microsoft 365 tenant login pages.
Microsoft researchers spotted yet another quite peculiar campaign which used custom 404 error pages to deceive potential victims into handing out their Microsoft credentials.