The threat actors behind the new attack use SharePoint files to host phishing links. By inserting the link directly into SharePoint, Avanan says they are able to bypass built-in security measures.
“This leverages a critical flaw in Office 365, where their security focuses on email but neglects other Office 365 services,” the company says.
Targets and potential victims receive an email which invites them to open a SharePoint document. The form of the email is identical to a standard SharePoint invitation which makes the message appear legitimate.
If the victim clicks on the document their browser automatically opens the file. The content then impersonates a standard SharePoint request to access a OneDrive file and displays an “Access Document” hyperlink which is malicious in nature.
The link then sends the user to a spoofed Office 365 login screen. Credentials input into the screen is then harvested. Victims would then be sent to the legitimate service and would be unlikely to realize anything was amiss.
Avanan researchers commented that: “To protect against potential threats, Office 365 scans links in email bodies to look for blacklisted or suspicious domains.”
“Since the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat.”
In other words, Microsoft’s security protocols when it comes to scanning for blacklisted and known malicious links only goes skin-deep.
Files which are hosted on other services — including SharePoint — are not scanned fully to ascertain whether or not shared documents contain malicious links.
“This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks,” the cybersecurity firm added.
However, this “vulnerability” is not one which can easily be patched. Blacklisting a link in a SharePoint file would require the file itself to be banned, and all it would take to circumvent this barrier is for a threat actor to upload a new file.
Michael Landewe, the founder of Avanan, said the campaign appears to be focusing on Fortune 500 companies in the United States, as well as small SMBs across Europe.
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.