IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New phishing campaign lures victims with compromised SharePoint website

The campaign was designed to go undetected by security products

Cyber criminals are using a compromised SharePoint website as a lure for a new phishing campaign.

Dora Tudor, a cyber security enthusiast at Heimdal Security, said the campaign relies on convincing emails and a few other techniques used to bypass phishing detection. These include an Office 365 phishing page, a Google cloud web app hosting, and a compromised SharePoint site that pushes victims to enter their credentials.

“It’s concerning to see that phishing remains a tricky issue that businesses are still facing, therefore the existence of phishing awareness pieces of training is highly recommended both by CISA and Microsoft,” she said.

According to a series of tweets by Microsoft researchers, the ongoing campaign used a combination of legitimate-looking original sender email addresses and spoofed display sender addresses that contain the target usernames and domains. The display names mimic legitimate services to try and slip through email filters.

The lure email pretends to be a “file share” request to access some so-called “Staff Reports,” “Bonuses,” “Pricebooks,” and other content hosted in a supposed Excel spreadsheet.

Researchers added the original sender addresses contain variations of the word "referral" and use various top-level domains, including the domain com[.]com, popularly used by phishing campaigns for spoofing and typo-squatting.

Related Resource

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

2021 state of email security report: Ransomware on the rise - whitepaper from MimecastFree download

Cyber criminals then send emails that “use a SharePoint lure in the display name as well as the message,” researchers said. “This campaign is active with various lure themes.”

Microsoft researchers added that the emails contain two URLs with malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page.

“The second URL is located within the notification settings and leads to a compromised SharePoint site that the attackers use to add legitimacy to the attack. Both URLs require sign-in to continue to the final page, bypassing many sandboxes,” researchers added.

Researchers warned that the campaign contained other detection evasion techniques that make this campaign even “sneakier than usual.” 

Researchers published a link on GitHub with more details on the campaign, including a query string on GitHub that can run through Microsoft 365 Defender to draw attention to any campaign email that may have gone unnoticed by email security products.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

2022 IBM's Security X-Force cloud threat landscape report
Whitepaper

2022 IBM's Security X-Force cloud threat landscape report

22 Nov 2022
2022 Magic quadrant for Security Information and Event Management (SIEM)
Whitepaper

2022 Magic quadrant for Security Information and Event Management (SIEM)

22 Nov 2022
Seven realities facing SMBs as they enter a future of increased cyber threats
Whitepaper

Seven realities facing SMBs as they enter a future of increased cyber threats

21 Nov 2022
Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
Windows users now able to run Linux apps and distros natively
Microsoft Windows

Windows users now able to run Linux apps and distros natively

24 Nov 2022