New phishing campaign attacking enterprises where employees have mentioned SharePoint in their profiles

A report by researchers at Heimdal Security points to the detection of a campaign targeting users and administrators that could put the security of an entire business environment at risk. As some users may recall, phishing is an attack variant in which an unauthorized user tries to gain access to a system by posing as a legitimate user or company, mainly employing the image of a well-known company.

In this campaign, the threat actors employ a very convincing and legitimate-looking message, in addition to employing websites similar to those of Office 365 and SharePoint, seeking that victims enter their credentials of access to these malicious platforms.

An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters.

- Microsoft Security Intelligence (@MsftSecIntel) July 30, 2021

Hackers use the Microsoft SharePoint name to trick victims into clicking on a link attached to the email. The malicious content is disguised as a request for “shared files”, supposedly related to the internal work in the affected organization.

As can be seen in the screenshots, threat actors use Microsoft logos at all times to give these messages a legitimate appearance.

After closely looking at the source URL, experts detected that it was based on a Google storage platform that redirects victims to the AppSpot domain of Google App Engine.

Heimdal’s report mentions: “The emails contain two URLs with malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain where the user will be prompted to sign in before being redirected to another domain that pretends to be the official Office 365 website.”

Moreover, the second URL is attached in the claims configuration and is designed to redirect the target user to a compromised SharePoint website. It is worth mentioning that the two malicious URLs require the user to enter their login credentials to complete the attack, as this way cybercriminals will be able to evade the most popular email security filters used nowadays.

For security reasons, Office 365 users are encouraged to ignore any email sent by unknown users or that includes unsolicited attachments and links. Also, before entering your access codes always remember to check the validity of the URL in question.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

Originally published at https://www.securitynewspaper.com on August 5, 2021.