A new spear phishing campaign against Microsoft Office SharePoint users

A little over a week ago, news of a new spear phishing campaign against Microsoft Office SharePoint users was released. Cofense's team of researchers analyzed the email campaign affecting users of the service, noting careful research into making the content as faithful and misleading as possible. It is not new that Microsoft's platform is being targeted by attacks of this type, the last of which took place last December, as reported by Threatpost .

Phishing is fast becoming one of the most used and profitable channels to reach victims . In fact, it's really easy to mimic the graphics and content of the original senders by running an inexpensive campaign on a large scale. In addition, the psychological pressure techniques of social engineering are increasingly effective and users still find it difficult to recognize the legality of messages.

The spear phishing campaign against Microsoft SharePoint

The content of the e-mail is simply a document stored on the Microsoft platform that would need a digital signature. The news, perhaps, more striking than the fact is that the protection given by the security e-mail gateway (SEG) would seem vain, even if it is a Microsoft product itself. Both this and the previous campaign both use the same domain spoofing technique. This means that the attacker is able to create an e-mail that appears to come from a legitimate domain (in this case Microsoft). However, new email authentication mechanisms such as DMARC prevent the unauthorized use of domain names for spoofing attacks. The problem, however, is that Microsoft's SEGs do not force DMARC to be activated, defeating the protection of its users.

In the email there is a graphic indicating a document with a link to the presumed SharePoint that contains it. There is also talk of an "urgent" request to sign the document which in these times of smart working has become almost the norm for every worker. Once you have clicked on the link in the e-mail, you will arrive at a web page with a box for entering your credentials. At this point the game is done: the attackers will have recovered our personal information and the user will be shown a document as if the operation had been successful.

The fake e-mail sent to the victims of the spear phishing campaign. (Source: Cofense)

The alarm bells to watch out for

In reality, with a keen eye, the spear phishing campaign can be easily identified: let's see how. First, the message of great urgency and the request to sign a digital document with promptness should already trigger us alerts, not being typical of automatic emails sent by Microsoft. The psychological pressure on the victim is in fact one of the most effective techniques, because under pressure we lose lucidity.

Haste is one of the key elements in inducing us to make mistakes or overlook unsafe behavior.

Even the text suggests, due to the language used, not extremely adequate to the content and due to the lack of users for which it is intended. Since there is no recipient attached to the text (for example the e-mail of the user who has to sign), this could make us think of a massive campaign. Finally, in the alleged SharePoint page, we find several extremely worrying elements: the lack of a Microsoft theme (apart from the SharePoint logo), the obscured content (which is typically not present in these platforms) and the title of the page ("Pending File ”), All alarm factors.

In conclusion, any credible phishing campaign can be exposed with proper attention . In addition, we always have our own rules that help us spot fake senders:

  • we use antivirus software and keep its definitions up to date;
  • we keep the software up to date and verify the installation of the latest patches;
  • we pay close attention to the contents of unknown e-mails, avoiding clicking on links that we are not sure about.

With a little experience, each of us will be able to be prepared and defend against the increasingly widespread phisihing campaigns.

The article A new spear phishing campaign against Microsoft Office SharePoint users comes from Tech CuE | Close-up Engineering .