SharePoint Impersonated in O365 Credential Phishing Attempt

July 27, 2020

SharePoint is an increasingly popular tool for Microsoft users, especially in a time when millions of employees are working remotely. In this attack, malicious actors make use of an automated message from Sharepoint to send phishing emails.

Summary of Attack Target

  • Platform: Office 365
  • Email Security Bypassed: Proofpoint
  • Payload: Malicious Link
  • Technique: Impersonation

Overview of the SharePoint Impersonation Attack

This attack impersonates an automated message from SharePoint to send phishing emails. The email itself is not addressed to any specific individual and is instead meant to cast a wide net to phish for employee credentials. Here, attackers are leveraging the probability that at least one employee will fall for the attack, and—if successful—can use their credentials to gain access to sensitive corporate information or to launch additional, more successful attacks using the compromised account.

The body content is brief and uses language similar to automated file-sharing notifications. The name of the target company is inserted at every possible point, including the sender display name, and is pretending to originate from within the user’s organization. The content of the email is vague and encourages the user to click the link to see the SharePoint documents.


After clicking on the link, the landing page is reached through multiple redirects and ultimately lands the recipient on an impersonated SharePoint page where they are encouraged to click to download the file.


Clicking on it either redirects to a submission form where the recipient can enter their credentials, or downloads a PDF that redirects to another site. If the recipient falls victim to this type of attack, their credentials are compromised, as well as any data stored on their account. This places employees and their networks at considerable risk as attackers can launch internal attacks to steal more credentials and information from the organization.

Why the SharePoint Impersonation Attack is Effective

Within the email, the malicious URL is disguised as text via hyperlink. If the link was not disguised, the recipient might spot an inconsistency, as the landing page does not lead to a SharePoint link. That said, the landing page itself looks identical to a secure SharePoint file that requires the recipient's credential information.

The landing page utilizes the Microsoft and SharePoint logos to impersonate these official brands and masquerade as a legitimate site. In the email body, the recipient’s company name was also used numerous times to impersonate an internal document shared by this service. Recipients may be convinced that the email is safe and coming from their company because of the repetitive inclusion of the company name.

Abnormal can detect and stop this attack due to the unusual sender, where the display name matches the Microsoft band, but the email does not. Further analysis shows the suspicious link and the language that conveys that it might be attempting to steal credentials. Combined, these are all indicators that the email is malicious, prompting Abnormal to block it before it reaches inboxes.

To learn how Abnormal can protect your organization from credential phishing attempts, request a demo today.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More
B Podcast Engineering8
In episode 8 of Abnormal Engineering Stories, Kevin interviews Saminda Wijegunawardena, an engineering leader who is no stranger to fast-growing enterprise startups.
Read More
B 04 04 22 Webinar Recap Krebs
High-impact emails are on the rise and secure email gateways (SEGs) don’t have the functionality to mitigate them. Learn how your SEG is letting you down.
Read More
B 04 19 22 Facebook Phishing
While phishing emails have long been a popular way to steal Facebook login credentials, we’ve recently seen an increase in more sophisticated phishing attacks.
Read More