{"id":20841,"date":"2023-03-23T14:05:27","date_gmt":"2023-03-23T10:05:27","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/sharepoint-notification-scam\/20841\/"},"modified":"2023-03-23T14:05:37","modified_gmt":"2023-03-23T10:05:37","slug":"sharepoint-notification-scam","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/sharepoint-notification-scam\/20841\/","title":{"rendered":"SharePoint as a phishing tool"},"content":{"rendered":"

A phishing link in the e-mail body is a thing of the past. Mail filters now detect this trick with near 100% efficiency. That\u2019s why cybercriminals are constantly inventing new ways to get their hands on corporate login credentials. We recently came across a rather interesting method that makes use of perfectly legitimate SharePoint servers. In this post, we explain how the scheme works, and what employees should look out for to avoid trouble.\n<\/p>\n

Anatomy of SharePoint phishing<\/h2>\n

\nThe employee receives a standard notification about someone sharing a file. This is unlikely to arouse suspicion (especially if the company where the employee works does actually use SharePoint). This is \u00a0because it\u2019s a real notification from a real SharePoint server.<\/p>\n

\"Legitimate

Legitimate notification from a SharePoint server.<\/p><\/div>\n

The unsuspecting employee clicks the link and is taken to the genuine SharePoint server, where the supposed OneNote file appears as intended. Only, inside it looks like another file notification and contains an oversized icon (this time of a PDF file). Assuming this to be another step in the download process, the victim clicks the link \u2014 now a standard phishing one.<\/p>\n

\"Contents

Contents of the supposed OneNote file on the SharePoint server.<\/p><\/div>\n

This link in turn opens a standard phishing site that mimics the OneDrive login page, which readily steals credentials for Yahoo!, AOL, Outlook, Office 365, or another e-mail service.<\/p>\n

\"Fake

Fake Microsoft OneDrive login page.<\/p><\/div>\n

Why this type of phishing is especially dangerous<\/h2>\n

\nThis is by no means the first case<\/a> of SharePoint-based phishing. However, this time the attackers don\u2019t only hide the phishing link on a SharePoint server, but distribute it through the platform\u2019s native notification mechanism. This is possible because, thanks to Microsoft developers, SharePoint has a feature that allows you to share a file that\u2019s on a corporate SharePoint site with external participants who don\u2019t have direct access to the server. Instructions<\/a> on how to do this are given on the company\u2019s website.<\/p>\n

All the attackers have to do is gain access to someone\u2019s SharePoint server (using a similar or any other phishing trick). That done, they upload the file with the link and add a list of e-mails to share it with. SharePoint itself helpfully notifies the e-mail owners. And these notifications will sail through all filters since they come from the legitimate service of some real company.<\/p>\n

How to stay safe<\/h2>\n

\nTo prevent your employees falling victim to scam e-mails, they need to be able to spot the telltale signs. In this case, the obvious red flags are as follows:\n<\/p>\n