Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Phishing Campaign Uses Fake SharePoint Alerts

Fraudsters Leverage Automated Messages in Effort to Steal Office 365 Credentials
Phishing Campaign Uses Fake SharePoint Alerts
Fraudsters now use fake automated SharePoint messages as a starting point to steal Office 365 login credentials. (Source: Abnormal Security)

Fraudsters are mimicking automated messages from Microsoft SharePoint for a phishing campaign that attempts to steal Office 365 credentials, according to the security firm Abnormal Security.

"The email itself is not addressed to any specific individual and is meant to cast a wide net to phish for employees' credentials," the firm’s new report states.

See Also: OnDemand | Digital Doppelgängers: The Dual Faces of Deepfake Technology

The malicious emails have reached about 50,000 inboxes so far, and the campaign may still be active, according to Abnormal Security.

Phishing Emails

The brief spoofed emails use language similar to automated file-sharing notifications, according to the report.

"The name of the target company is inserted at every possible point, including the sender display name, and [the message] is pretending to originate from within the user’s organization," the researchers note.

The phishing emails contain an embedded link to a malicious web page. Once this link is clicked, the recipient is taken on a journey containing multiple redirects, eventually ending up on a malicious landing page that looks identical to a secure SharePoint file that requires the recipient’s credential information, the researchers note. At this point, the user is asked to click on another link.

"Clicking on it either redirects to a submission form where the recipient can enter their credentials, or downloads a PDF that redirects to another site,” the report states. “The landing page utilizes the Microsoft and SharePoint logos to impersonate these official brands and masquerade as a legitimate site. In the email body, the recipient’s company name was also used numerous times to impersonate an internal document shared by this service," says the report.

This type of social engineering can convince recipients that the email is safe and was sent by their company because of the repetitive inclusion of the company name, researchers say. They warn that if a recipient falls victim to this type of attack, their credentials - as well as any data stored in their account – will be compromised.

"This places employees and their networks at considerable risk as attackers can launch internal attacks to steal more credentials and information from the organization," the researchers state.

A Similar Campaign

Earlier this month, Abnormal Security uncovered a similar phishing campaign using spoofed Zoom account alerts to steal Microsoft Office 365 credentials.

The researchers noted the Zoom-themed phishing emails have appeared in about 50,000 inboxes since the campaign began earlier this year (see: Zoom-Themed Phishing Campaign Targets Office 365 Credentials).

Credentials for Office 365 and other Microsoft products are frequent targets of phishing attacks, including recent campaigns with COVID-19 themes (see: Microsoft Seizes Domains Used for COVID-19 Phishing Scam).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.