Abnormal Attack Stories: Sharepoint Attacks - Abnormal Security

Abnormal Attack Stories: Sharepoint Attacks

In this attack, malicious actors make use of an automated message from Sharepoint to send phishing emails.

Quick Summary of Attack Target

Platform: Office 365
Email Security Bypassed: Proofpoint
Mailboxes: 15,000 to 50,000
Payload: Malicious Link
Technique: Impersonation

What was the attack?

  • Setup: This attack impersonates an automated message from Sharepoint to send phishing emails. The email itself is not addressed to any specific individual, and is meant to cast a wide net to phish for employees credentials. Here, attackers are leveraging the probability that at least one employee will fall for the attack, and–if successful–can use their credentials for sinister purposes or to gain access to sensitive corporate information. 

  • Email Attack: The body content is brief and uses language similar to automated file sharing notifications. The name of the target company is inserted at every possible point, including the sender display name, and is pretending to originate from within the user’s organization. The content of the email is vague and does not target any specific individual at this company. The email body contains a link to a malicious web page. 

  • Payload: The landing page is reached through multiple redirects. A click to download button is provided, and clicking on it either redirects to a submission form where the recipient can enter their credentials, or downloads a PDF that redirects to another site. 
  • Result: If the recipient falls victim to this type of attack, their credentials are compromised, as well as any data stored on their account. This places employees and their networks at considerable risk as attackers can launch internal attacks to steal more credentials and information from the organization.

Why is this attack effective?

  • Concealed URL: The malicious URL is disguised as text via hyperlink. If the link was not disguised, the recipient might spot an inconsistency: the IR: is from a different domain, when the email body states the attached link should direct to Sharepoint.
  • Convincing Email & Landing Page: The landing page looks identical to a secure Sharepoint file that requires the recipient’s credential information. The landing page utilizes the Microsoft and Sharepoint logos to impersonate these official brands and masquerade as a legitimate site. In the email body, the recipient’s company name was also used numerous times to impersonate an internal document shared by this service. Recipients may be convinced that the email is safe and coming from their company because of the repetitive inclusion of the company name.

Related content