Abnormal Attack Stories: Compromised Vendor and Sharepoint Phishing - Abnormal Security

Abnormal Attack Stories: Compromised Vendor and Sharepoint Phishing

In this attack, a compromised vendor attempts to steal victims’ email credentials.

Quick Summary of Attack Target

Platform: Office 365
Email Security Bypassed: Proofpoint
Mailboxes: 15,000 to 50,000
Payload: Sharepoint File with Malicious Link
Technique: Vendor Compromise

What was the attack?

Setup: This attack comes from a compromised account of a legitimate vendor that is attempting to establish a partnership with this organization.  The compromised account has sent a legitimate Sharepoint file under the guise of being documents that need reviewing.  The file is sent to an account manager who’s likely to receive documents from both new and established vendors for review. The attacker is hoping that since the message is coming from an established company that the target will believe the files are legitimate, and therefore gain the target’s credentials to be used in a malicious manner.

Email Attack: The email body is a legitimate Sharepoint file share notification, and the file name is “Review & Approval…” which is vague enough to pique interest but also targeted enough to seem purposefully sent to the recipient.

Payload: The Sharepoint file linked in the email body prompt’s the target to download the desired documents by clicking a hyperlinked image.  The landing site to this link provides a list of popular email providers and asks the target to login. Each option leads to phishing pages mimicking the corresponding legitimate login pages. We’ve documented the steps in this attack below:

  1. Sharepoint link leads to a legitimate Sharepoint file with hyperlinks

2. Link within the Sharepoint file leads to first updatezzzthehiglandmint.ceshire.com page with email provider selection

3. Selection of Google leads to a second updatezzzthehiglandmint.ceshire.com page disguised as a Google login in order to gain target’s credentials.

Result: If the target falls for this type of attack, their credentials will be compromised, along with any data stored on their account. This places employees and their networks at considerable risk as attackers can then launch internal attacks to steal more credentials and information from the organization.

Why is this attack effective?

Compromised Vendor: This email is coming from the account of a legitimate company and one that would likely pursue a partnership with the target organization. Since the account has been taken over, there is no indication that the sender is an attacker. Even if the recipient organization’s security sophisticated, this compromised vendor would put them at risk.

Convincing Email & Landing Page: The Sharepoint file is legitimate, and the sites it leads to mimic genuine login pages for accounts that require real logins and therefore the target’s credential information. They each utilize the email services’ logos to impersonate these official brands and masquerade as legitimate sites.

This type of attack is not simple but has the potential to be extremely effective. A compromised account can cause significant problems for both the internal organization as well as all of its vendors. Any and all industries can be affected. We are seeing a growing number of these vendor-related attacks.

Related content