Phishers behind a new campaign have switched to using compromised SharePoint sites and OneNote documents to redirect potential victims from the banking sector to their landing pages.
- The attackers take advantage of the fact that the domains used by Microsoft’s SharePoint web-based collaborative platform are almost always overlooked by secure email gateways which allows their phishing messages to regularly reach their targets’ inboxes
- The emails sent as part of this new phishing campaign are delivered from compromised accounts and will ask the targets to review a legal assessors proposal via an URL embedded within the message
- This URL links to an attacker-controlled SharePoint site created using a hacked account hosting a maliciously crafted OneNote document designed to be illegible and asking the targets to download the full version via an embedded link which actually sends the bank employees to the phishing page. Once the targets reach the phishing landing page they see a web page impersonating the OneDrive for Business login page with a message displayed above the login form saying that “This document is secure, please login to view, edit, or download. Select an option below to continue.