Researchers say SharePoint has been exploited to host malicious link
A new phishing campaign which targets Microsoft’s Office 365 platform is estimated to have impacted up to 10 percent of users.
According to security researchers from Avanan, the widespread phishing campaign has been monitored over the past two weeks and blocked for the firm’s customers.
While 10 percent of customers have been targeted, the research team estimates that: “this percentage applies to Office 365 globally.”
Dubbed PhishPoint, the new campaign uses SharePoint, a collaborative platform which is compatible with Office 365, to harvest end-user credentials for the software.
The threat actors behind the new attack use SharePoint files to host phishing links. By inserting the link directly into SharePoint, Avanan says they are able to bypass built-in security measures.
“This leverages a critical flaw in Office 365, where their security focuses on email but neglects other Office 365 services,” the company says.
Targets and potential victims receive an email which invites them to open a SharePoint document. The form of the email is identical to a standard SharePoint invitation which makes the message appear legitimate.
If the victim clicks on the document their browser automatically opens the file. The content then impersonates a standard SharePoint request to access a OneDrive file and displays an “Access Document” hyperlink which is malicious in nature.
The link then sends the user to a spoofed Office 365 login screen. Credentials input into the screen is then harvested. Victims would then be sent to the legitimate service and would be unlikely to realize anything was amiss.
Avanan researchers commented that: “To protect against potential threats, Office 365 scans links in email bodies to look for blacklisted or suspicious domains.”
“Since the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat.”
In other words, Microsoft’s security protocols when it comes to scanning for blacklisted and known malicious links only goes skin-deep.
Files which are hosted on other services — including SharePoint — are not scanned fully to ascertain whether or not shared documents contain malicious links.
“This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks,” the cybersecurity firm added.
However, this “vulnerability” is not one which can easily be patched. Blacklisting a link in a SharePoint file would require the file itself to be banned, and all it would take to circumvent this barrier is for a threat actor to upload a new file.
Michael Landewe, the founder of Avanan, said the campaign appears to be focusing on Fortune 500 companies in the United States, as well as small SMBs across Europe.