Security Experts Find SharePoint Legal Notices Used for Phishing

Phishing attack illustration (photo: Kaspersky)

JAKARTA - To hunt down corporate credentials, cybercriminals now hide phishing links in files on hijacked SharePoint servers and distribute them using native notification mechanisms.

Email spam filters are usually nearly capable of detecting phishing emails with a link in the body of the email. For that reason, cybercriminals are constantly improving their tools to try to bypass security solutions.

Now, they not only hide the phishing links on the SharePoint server, as the previously known scheme does, but also distribute them using legitimate SharePoint notifications.

Kaspersky's security solutions successfully filtered more than 1.600 malicious notifications between December 2022 and February 2023, in countries such as Austria, France, India, Italy, Japan, Netherlands, Russia, Singapore, South Korea, Spain and the United States.

Kaspersky says that this tactic with legitimate notifications can easily fool even the most tech-savvy employees.

Notifications are sent on behalf of a genuine enterprise service, and raise no doubts, especially if the company uses SharePoint as part of its daily routine.

How does phishing via SharePoint notifications work

An employee receives a standard SharePoint notification saying that someone has shared a OneNote file with them. These emails are completely legit and can bypass spam filters more easily.

Then, an employee follows the link, where the said OneNote file opens, but the note content contains another 'notification' with a large icon of a different file type (e.g., PDF) and a standard phishing link.

This malicious link leads to a phishing website that mimics the Microsoft OneDrive login page. Cyber ​​criminals then use it to steal the credentials of various important email accounts such as Yahoo!, AOL, Outlook, Office 365 and others.