Researchers from Cofense Phishing Defense Center uncovered an interesting phishing campaign aimed at the banking industry that uses hacked SharePoint sites and OneNote documents to redirect potential victims to attackers’ landing pages.
The emails sent as part of this campaign are delivered via compromised accounts and will ask the recipient to review a proposal document by clicking on an embedded URL. This URL redirects the victim to a compromised SharePoint account used to deliver a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology.
The URL embedded in the phishing message points to a compromised SharePoint site hosting a malicious OneNote document designed to be illegible and asking potential victims to download a full version of the document via embedded link, which in reality leads to the main credential phishing page.
This phishing landing page is disguised as the OneDrive for Business login page with a message displayed above login form saying that "This document is secure, please login to view, edit, or download. Select an option below to continue." The phishing page provides two options to authenticate: with O365 login account or credentials from any other email provider.
Once the target entered login credentials the data automatically collected by the phishing kit sold by BlackShop Tools and used by the attackers behind this campaign. Then the gathered information is being sent to what looks like yet another compromised email account.
Indicators of compromise (IoCs):
URLs
hxxps://botleighgrange-my[.]sharepoint[.]com/:o:/p/maintenance/EngTNCs22_REkaJY4gVf9lwBqkwYFtDSmJJ7L2H-AnoDQg?e=tgtauL
hxxps://alblatool[.]com/xxx/one/
https://alblatool.com/xxx/one/office365/index.php
13[.]107[.]136[.]9
198[.]54[.]126[.]160
Email accounts
richardsweldon57[@]gmail[.]com