SharePoint as a phishing tool

Cybercriminals are using hijacked SharePoint servers to send dangerous notifications.

Phishing through SharePoint

A phishing link in the e-mail body is a thing of the past. Mail filters now detect this trick with near 100% efficiency. That’s why cybercriminals are constantly inventing new ways to get their hands on corporate login credentials. We recently came across a rather interesting method that makes use of perfectly legitimate SharePoint servers. In this post, we explain how the scheme works, and what employees should look out for to avoid trouble.

Anatomy of SharePoint phishing

The employee receives a standard notification about someone sharing a file. This is unlikely to arouse suspicion (especially if the company where the employee works does actually use SharePoint). This is  because it’s a real notification from a real SharePoint server.

Legitimate notification from a SharePoint server.

Legitimate notification from a SharePoint server.

The unsuspecting employee clicks the link and is taken to the genuine SharePoint server, where the supposed OneNote file appears as intended. Only, inside it looks like another file notification and contains an oversized icon (this time of a PDF file). Assuming this to be another step in the download process, the victim clicks the link — now a standard phishing one.

Contents of the supposed OneNote file on the SharePoint server.

Contents of the supposed OneNote file on the SharePoint server.

This link in turn opens a standard phishing site that mimics the OneDrive login page, which readily steals credentials for Yahoo!, AOL, Outlook, Office 365, or another e-mail service.

Fake Microsoft OneDrive login page.

Fake Microsoft OneDrive login page.

Why this type of phishing is especially dangerous

This is by no means the first case of SharePoint-based phishing. However, this time the attackers don’t only hide the phishing link on a SharePoint server, but distribute it through the platform’s native notification mechanism. This is possible because, thanks to Microsoft developers, SharePoint has a feature that allows you to share a file that’s on a corporate SharePoint site with external participants who don’t have direct access to the server. Instructions on how to do this are given on the company’s website.

All the attackers have to do is gain access to someone’s SharePoint server (using a similar or any other phishing trick). That done, they upload the file with the link and add a list of e-mails to share it with. SharePoint itself helpfully notifies the e-mail owners. And these notifications will sail through all filters since they come from the legitimate service of some real company.

How to stay safe

To prevent your employees falling victim to scam e-mails, they need to be able to spot the telltale signs. In this case, the obvious red flags are as follows:

  • When we don’t know who shared the file (it’s good practice to never open files from strangers).
  • When we don’t know what kind of file it is (people normally don’t share files off the cuff without an explanation of what they sent and why).
  • The e-mail talks about a OneNote file — but on the server we see a PDF.
  • The file download link takes us to a third-party site that has nothing to do with either the victim’s company or SharePoint.
  • The file supposedly resides on a SharePoint server, yet the site mimics OneDrive — these are two different Microsoft services.

To make sure, we recommend holding regular security-awareness trainings for employees. A specialized online platform can help with this.

What the above-described ploy clearly demonstrates is that security solutions with anti-phishing technology must be installed not only at the corporate mail server level but on all employees’ work devices as well.