Beware of Phishing Attack that Abuses SharePoint Servers

A massive phishing campaign exploits Microsoft SharePoint servers to host malicious PDFs containing phishing links.

As observed by ANY.RUN sophisticated attack has seen an alarming surge, with over 500 public sandbox sessions detecting SharePoint phishing attempts in just the last 24 hours.

The campaign is particularly dangerous because it appears legitimate at every stage, leveraging trusted SharePoint services to host phishing PDFs. This makes detecting malicious intent challenging for both users and security systems.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Phishing Attack Abuses SharePoint Servers

1. Phishing Email: The victim receives an email with a link.
2. SharePoint PDF: The link directs to a SharePoint-hosted PDF containing another link.
3. CAPTCHA: The victim is prompted to solve a CAPTCHA, adding a layer of legitimacy and thwarting automated detection systems.
4. Phishing Page: Finally, the victim lands on a phishing page that mimics the Microsoft login page.

In some cases, victims must enter a one-time code, adding another layer of complexity and deception.

Using legitimate SharePoint servers makes this phishing campaign particularly challenging to detect. Since all actions occur on trusted websites, traditional security mechanisms struggle to identify threats. Additionally, the CAPTCHA requirement further complicates automated detection efforts.

To combat this threat, several measures have been introduced:

• Tagging Documents: Documents identified as potential phishing attempts are tagged as “possible-phishing” to alert users.
• New Tag Introduction: A new tag, “sharepoint,” has been introduced to help identify and manage these specific phishing attempts.
• Sandbox Notifications: Users in sandbox sessions are now notified with warnings such as “Be cautious! Do not enter your credentials.”

Interestingly, if the phishing kit detects traffic from a hosting provider, it may redirect users to a legitimate website, further complicating detection and mitigation efforts.

If you’re unsure about an email’s legitimacy, contacting the supposed sender directly through a separate, verified channel is best to confirm they shared a file with you. Using multi-factor authentication and keeping your security software up-to-date can also provide extra protection against phishing attempts.

How to Detect & Indicators

To protect against these sophisticated phishing attacks, users should:

• Verify Email Sources: Be cautious of unexpected emails, especially those requesting sensitive information or containing links to SharePoint documents.
• Check URLs: Always verify the URL before entering credentials, ensuring it matches the expected domain.
• Enable Security Features: Utilize advanced email security solutions and enable features like multi-factor authentication (MFA) to add an extra layer of protection.

As phishing tactics evolve, leveraging legitimate services like SharePoint, it becomes increasingly important for organizations and individuals to stay vigilant and adopt robust security measures.

Most common indicators of SharePoint Phishing

1. Unexpected SharePoint file sharing notifications, especially from unknown senders.
2. Links in the email that lead to a SharePoint document, which then contains another link to a malicious site.
3. Mismatched file types – for example, the email mentions a OneNote file but the SharePoint page shows a PDF.
4. Requests for urgent action or claims of expiring documents.
5. Poor grammar and spelling mistakes.
6. Unfamiliar greetings or salutations that don’t match typical workplace communication styles.
7. Inconsistencies between the supposed sender’s email address and the actual domain.
8. Links that lead to third-party sites unrelated to SharePoint or the sender’s organization.
9. Login pages that mimic Microsoft services but have suspicious URLs.
10. Use of pressure tactics or emotional triggers to get users to click links quickly without scrutiny.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo