A campaign of phishing attacks is using the online platform SharePoint to bypass the Symantec Corporation’s secure email gateway.
A bespoke phishing campaign built for the purpose of getting around the security software provider’s email gateway, by utilising documents that are shared through SharePoint, is zeroing in on potential targets in the banking sector.
SharePoint vulnerability
Developed by Microsoft as a cloud-based service for both storage and file synchronisation SharePoint can also unfortunately be an asset to malicious phishing campaigns. Researchers from cyber security awareness experts Cofense have stated that using business services such as SharePoint comes close to guaranteeing phishing URLs will be sent successfully to intended targets.
Cofense outlined that the process begins when phishing emails are sent out from a compromised email account requesting the recipient examines a document by opening a URL embedded in the email. The URL is wrapped by Symantec’s own protective Click-time URL and the recipient is redirected to a compromised account in SharePoint.
Effectively SharePoint acts as a very efficient delivery service which outflanks the secure email gateway and launches the secondary attack by getting the malicious URL to its intended recipient.
Once past the email gate, the URL embedded in the body sends the victim to a compromised site in SharePoint where a malicious document in OneNote is displayed. The document is purposefully difficult to read, encouraging the target to download it. Once the user clicks on the link, they’re sent to the main phishing page which gathers their credentials.
Designed to resemble the log-in portal in OneDrive for Business to fool the recipient, it will offer two options for authentication, either using Office 365 personal log-in credentials or via another email provider.
Creative and highly targeted attack strategies
Following download of the files from the compromised server, the credentials taken by the fake form are then posted using login.php. The collected credentials are then forwarded by Login.php in an email to a Gmail account which experts assume is most likely compromised as well.
The attacks are cleverly designed to bypass Symantec security gateways and are well-aimed to snare specific recipients.
Vice President of solution engineering for OneLogin, the cloud-based identity management company, said these attacks are yet another example of the sophistication and creativity shown by malicious actors and commented:
"Attackers know that a significant number of organisations are not taking a strong enough stance when it comes to access security. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services and CRMs.”
If your company uses collaborative software platforms like SharePoint and Software as a Service (SaaS) options like as Office 365, it’s vital you keep your set-up secure and well maintained. At WM Reply we’re experts in using Microsoft technology to its full potential to help businesses achieve their ambitions. From startups and Small to Medium Enterprises (SMEs) to large companies with extensive communication networks, we can assist you. Our speciality lies in creating bespoke solutions tailor-made to your individual needs, so for advice and support, don’t hesitate to contact our professional team.