Office 365 phishing baits employees with fake SharePoint alerts

by chebbi abir

Employees using Microsoft Office 365 are targeted in a phishing campaign that makes use of bait messages camouflaged as automated SharePoint notifications to steal their accounts.

The phishing emails delivered as part of this phishing campaign are addressed to all employees working at targeted organizations and have until now reached an estimated number of up to 50,000 mailboxes based on stats from email security company Abnormal Security.

What makes these phishing messages potentially dangerous is the fact that they’re using a shotgun approach, trying to trick at least one employee and then use their credentials to further compromise their employer’s systems.

Fake SharePoint alerts used as lures

The attackers behind this phishing campaign did their best to keep the phishing messages as short and vague as possible, and they also made it a point to include the targeted company’s name multiple times within the emails.

This strategy is supposedly designed to help induce a feeling of trust and make the targets think that the phishing emails were really sent from within their organization.

“In the email body, the recipient’s company name was also used numerous times to impersonate an internal document shared by this service,” Abnormal Security explains.

“Recipients may be convinced that the email is safe and coming from their company because of the repetitive inclusion of the company name.”

Phishing email sample
Phishing email sample (Abnormal Security)

The phishing messages’ goal is to make the targets click on an embedded hyperlink that sends them to a SharePoint themed landing page through a series of redirects.

This is where they are required to click on a button to download “important documents” mentioned within the phishing emails, a button that will either download a PDF that sends them to another website or that will redirect them to a submission form where they are asked to input their credentials.

If the targets fall for the phishers’ tricks, their Microsoft credentials will give the attackers’ full control of their Office 365 accounts, with their information to be stolen and used as apart of identity theft and fraud schemes such as Business Email Compromise (BEC).

“This places employees and their networks at considerable risk as attackers can launch internal attacks to steal more credentials and information from the organization,” Abnormal Security adds.

Office 365 phishing attacks


Microsoft Office 365 customers are under a continuous barrage of targeted phishing campaigns with the end goal of stealing their credentials.

Office 365 users were baited throughout this year using fake Zoom suspension alerts, fake VPN configs, fake Microsoft Teams alerts, and Small Business Grants Fund (SGF) relief payment baits, with tens of thousands of these phishing emails landing in the targets’ mailboxes as part of these phishing campaigns.

Earlier this month, Microsoft also warned of a recent shift to new types of phishing tactics such as consent phishing, besides regular email phishing and credential theft attacks.

“While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services,” Microsoft Partner Group PM Manager Agnieszka Girling said.

Redmond also took legal action to take down part of the attack infrastructure used in consent phishing to hijack victims’ Office 365 accounts with the help of malicious 365 OAuth apps.


To read the original article:


Interdit de copier  ce contenu