4 September 2019

New phishing campaign uses compromised SharePoint sites to bypass email gateways

New phishing campaign uses compromised SharePoint sites to bypass email gateways

Researchers from Cofense Phishing Defense Center uncovered an interesting phishing campaign aimed at the banking industry that uses hacked SharePoint sites and OneNote documents to redirect potential victims to attackers’ landing pages.

The emails sent as part of this campaign are delivered via compromised accounts and will ask the recipient to review a proposal document by clicking on an embedded URL. This URL redirects the victim to a compromised SharePoint account used to deliver a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology.

The URL embedded in the phishing message points to a compromised SharePoint site hosting a malicious OneNote document designed to be illegible and asking potential victims to download a full version of the document via embedded link, which in reality leads to the main credential phishing page.

This phishing landing page is disguised as the OneDrive for Business login page with a message displayed above login form saying that "This document is secure, please login to view, edit, or download. Select an option below to continue." The phishing page provides two options to authenticate: with O365 login account or credentials from any other email provider.

Once the target entered login credentials the data automatically collected by the phishing kit sold by BlackShop Tools and used by the attackers behind this campaign. Then the gathered information is being sent to what looks like yet another compromised email account.

Indicators of compromise (IoCs):

URLs

hxxps://botleighgrange-my[.]sharepoint[.]com/:o:/p/maintenance/EngTNCs22_REkaJY4gVf9lwBqkwYFtDSmJJ7L2H-AnoDQg?e=tgtauL
hxxps://alblatool[.]com/xxx/one/
https://alblatool.com/xxx/one/office365/index.php

IP addresses

13[.]107[.]136[.]9
198[.]54[.]126[.]160

Email accounts

richardsweldon57[@]gmail[.]com


Back to the list

Latest Posts

Smominru botnet infected over 90K Windows computers in just one month

Smominru botnet infected over 90K Windows computers in just one month

The botnet compromises machines using various methods, the prominent ones being the EternalBlue exploit and brute-force of different services and protocols.
20 September 2019
New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

New TortoiseShell group hits 11 IT providers in Saudi Arabia to compromise their customers

To compromise their targets the group used a unique malware called Backdoor.Syskit.
19 September 2019
“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

“Unsophisticated” Panda threat group makes thousands of dollars using RATs and cryptominers

While not highly sophisticated, the Panda group is considered one of the most active attackers on today’s cybercriminal scene.
18 September 2019