Phishing Campaign SharePoint Documents

The Cofense Phishing Defense Center (PDC) has revealed a phishing campaign that targets Office 365 users and includes a convincing SharePoint document claiming to urgently need an email signature.

This new phishing campaign found in an environment protected by Microsoft’s secure email gateway (SEG). Since thousands of individuals still required to telework,  hackers lure their victims with almost picture-perfect sharing themed emails.

How this Attack Works?

Phishing Email (body)

The above Email showcases correct spelling and grammar in messaging that include urgency (“and response urgently”). The user’s name is not clear in the opening message above, indicating that this is a mass-distribution campaign intended to reach multiple users.

“When the user reported this email, suspicion was probably sparked by the sender’s address and the hovered hyperlink, neither of which contained the all-important “Microsoft” reference”, Cofense says.

Phishing Landing Page

When the recipient clicks on the hyperlink, the Phishing landing page will appear. The vendor’s branded logo and the “Pending file” notification could suffice for threat actors to extract and harvest users’ data, as shown above.

Once credentials have been supplied, the campaign redirects the user to a spoofed unrelated document, which might be enough to trick the user into thinking this is a legitimate transaction.

“A user’s personal data could potentially be in the hands of the threat actor, assuming they logged in with their true Microsoft credentials.”

Final Word

Therefore, Cofense suggested an online tool called Whois lookup that allows to extract useful statistical information. It is used to evaluate the legitimacy of the domain name.

Basic information such as the quantity of sites hosted, IP location as well as historical lifetime – are all useful for the investigation.