Attackers camouflage as SharePoint notifications target Office 365 employees

Recently, a newly phishing campaign has been recorded that makes the use of bait messages camouflaged as automated SharePoint notifications targeting employees using Microsoft 365 accounts.

As per email security company Abnormal Security, up to 50, 0000 mailboxes are addressed to all the employees of the targeted organizations. The phishing messages are using a shotgun approach, trying to trick at least one employee and then use their credentials to compromise further employee’s systems. This makes this phishing campaign potentially dangerous.

The attackers tried their best to keep the phishing messages as short and vague as possible. Also, they made it a point to include the targeted company’s name multiple times with the email. Their strategy is simple – to induce a feeling of trust and make the targets think that the phishing email is actually coming from their organization.

Abnormal explains, “In the email body, the recipient’s company name was also used numerous times to impersonate an internal document shared by this service. Recipients may be convinced that the email is safe and coming from their company because of the repetitive inclusion of the company name.”

The phishing messages try users to click on the provided hyperlinks within it. This will send the employees to a SharePoint themed landing page through a series of redirects. Here, a button to download “Important documents” is mentioned. This will either download a PDF that sends them to another website or will redirect them to a submission form where they are asked to enter their credentials.

When the targets fall on the trick, their Microsoft credentials are sent to the attackers that allow them to take full control over their Office 365 accounts. They can use such data as a part of identity theft and fraud schemes such as Business Email Compromise.

Abnormal adds, “This places employees and their networks at considerable risk as attackers can launch internal attacks to steal more credentials and information from the organization.”

Microsoft Partner Group PM Manager Agnieszka Girling said, “While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services.”