What You Need To Know:

A massive phishing campaign is leveraging Microsoft SharePoint servers to host malicious PDFs that contain phishing links. This campaign is particularly dangerous because it appears legitimate at every stage, making it challenging for both users and security systems to detect malicious intent.

What Is The Current Scope Of This Campaign?

This campaign targets SharePoint users and individuals who receive emails containing links to SharePoint-hosted PDFs. The surge in phishing attacks has been observed recently, with a significant increase detected in the last 24 hours. The attacks are being carried out through emails containing links to SharePoint-hosted PDFs, affecting users globally who utilize SharePoint services. Cybercriminals are exploiting the trusted nature of SharePoint servers to host their phishing content, bypassing traditional security mechanisms and increasing the likelihood of users falling for the scam.

How Is This Attack Happening?

1. Phishing Email: Victims receive an email with a link to a SharePoint-hosted PDF.
2. Verification Prompt (Optional): After clicking the link in the initial email, users may encounter a Microsoft identity verification window prompting for their email address or one-time code.
3. SharePoint PDF: The link directs users to a SharePoint-hosted PDF containing another link.
4. CAPTCHA (Optional): Victims may then be prompted to solve a CAPTCHA, adding a layer of legitimacy and thwarting automated detection systems.
5. Phishing Page: Finally, victims land on a phishing page that mimics the Microsoft login page.

How To Protect Yourself:

• Verify Email Sources: Be cautious of unexpected emails, especially those requesting sensitive information or containing links to SharePoint documents. Always verify the sender’s information through a separate, verified channel if you’re unsure about an email’s legitimacy.
• Check URLs: Always verify the URL before entering credentials, ensuring it matches the expected domain and is utilizing HTTPS. Be wary of any discrepancies in the URL or domain.
• Enable Security Features: Utilize advanced email security solutions and enable features like multi-factor authentication (MFA) to add an extra layer of protection. Ensure your security software is up-to-date.

How To Recognize Indicators Of SharePoint Phishing:

• Unexpected SharePoint file sharing notifications, especially from unknown senders.
• Links in the email leading to a SharePoint document, which then contains another link to a malicious site.
• Mismatched file types (e.g., the email mentions a OneNote file, but the SharePoint page shows a PDF).
• Requests for urgent action or claims of expiring documents.
• Poor grammar and spelling mistakes.
• Unfamiliar greetings or salutations that don’t match typical workplace communication styles.
• Inconsistencies between the supposed sender’s email address and the actual domain.
• Links leading to third-party sites unrelated to SharePoint or the sender’s organization.
• Login pages mimicking Microsoft services but with suspicious URLs.
• Use of pressure tactics or emotional triggers to get users to click links quickly without scrutiny.

Conclusion:

As phishing tactics evolve and become more sophisticated, leveraging legitimate services like SharePoint, it is increasingly important for organizations and individuals to stay vigilant and adopt robust security measures. By following the steps outlined above and staying informed about the latest phishing threats, you can better protect yourself and your data from these malicious attacks.