SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Phishing scam imitates SharePoint & OneNote for nefarious clicks
Tue, 8th Sep 2020
FYI, this story is more than a year old

Phishing scams continue to play on the popularity of remote working and collaboration tools, as scammers seek to take advantage of unwitting victims.

A recent report from Sophos indicates one of the most recent tactics attackers are using to conduct their scams uses collaborative platforms SharePoint and OneNote.

Sophos researchers say that the attackers take a slightly different approach to the standard ‘fake login' phishing email.

The scams start with an email that is actually from a genuine company – but the company has likely been hacked and email addresses have been compromised. By coming from a ‘genuine' sender, the scams are more likely to work because the intended victims trust the sender more than they would trust a stranger.

The email contains an attachment that asks victims to use SharePoint to access a OneNote file.

“The SharePoint link you're expected to click to access the One Note file does look suspicious because there's no clear connection between the sender's company and the location of the OneNote lure. But the sender's business relates to construction, and the domain name in the SharePoint link apparently refers to a building company, so the link is at plausible, at least,” Sophos researchers note.

When victims open the OneNote file, there is a link that takes them to a fake login page. In one case, the login page was stuck on a hacked WordPress site.

The login page is supposed to tempt users into entering their details to access an Excel file. Those who enter their details then hand their information over to the attackers.

Sophos principal research scientist Paul Ducklin provides a few pointers:

  • Don't click login links that you reach from an email. That's an extension to our usual advice never to click login links that appear directly in emails. Don't let the crooks distract you by leading you away from your email client first to make their phishing page feel more believable when you get there. If you started from an email, stop if you hit a password demand. Find your own way to the site or service you're supposed to use.
  • Keep your eyes open for obvious giveaways. As we've said many times before, the only thing worse than being scammed is being scammed and then realising that the signs were there all along. Crooks don't always make obvious mistakes, but if they do, make sure you don't miss them.
  • If you think you put in a password where you shouldn't have, change it as soon as you can. Find your own way to the official site of the service concerned, and log in directly. The sooner you fix your mistake, the less chance the crooks have of getting there first.
  • Use 2FA whenever you can. Accounts that are protected by two-factor authentication are harder for crooks to take over because they can't just harvest your password and use it on its own later. They need to trick you into revealing your 2FA code at the very moment that they're phishing you."