SharePoint Sites Hacked To Bypass Secure Email Gateways

By   ISBuzz Team
Writer , Information Security Buzz | Sep 04, 2019 03:58 am PST

Phishers behind a new campaign have switched to using compromised SharePoint sites and OneNote documents to redirect potential victims from the banking sector to their landing pages.

  • The attackers take advantage of the fact that the domains used by Microsoft’s SharePoint web-based collaborative platform are almost always overlooked by secure email gateways which allows their phishing messages to regularly reach their targets’ inboxes
  • The emails sent as part of this new phishing campaign are delivered from compromised accounts and will ask the targets to review a legal assessors proposal via an URL embedded within the message
  • This URL links to an attacker-controlled SharePoint site created using a hacked account hosting a maliciously crafted OneNote document designed to be illegible and asking the targets to download the full version via an embedded link which actually sends the bank employees to the phishing page. Once the targets reach the phishing landing page they see a web page impersonating the OneDrive for Business login page with a message displayed above the login form saying that “This document is secure, please login to view, edit, or download. Select an option below to continue.


Notify of
3 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Lewis Henderson
Lewis Henderson , VP Threat Intelligence
September 5, 2019 9:11 am

What can organisations do to prevent or mitigate such attacks?

Beyond the human factor, if you analyse why criminals are able to evade current defences it’s because they all work on the basis of identifying ‘known bad’. Attackers are aware if they create something new, unique and keep it low volume, their malware is not only evasive, but it will be more effective for a longer period of time because it doesn’t hit the radar of the big security companies. CISO’s are more than aware their current defences are not as robust as even 12 months ago, they know the human factor will fail when facing highly sophisticated attackers, so they need to look for solutions that work differently to their current suite of cyber defences.

What can cybersecurity companies do to improve their security products?

As an industry, we know malware and attackers are outpacing legacy layers of protection such as AV, that there are numerous techniques to bypass Sandbox, and that Phishers send one-off unique emails to lure their victims. In order to combat these significant challenges, cybersecurity technologies need to rely less on attempting to block known bad and move to a model of zero trust based on standards. A good example of standards-based technology using an alternative method is described by a phrase created by Gartner called Content Disarm & Reconstruction (CDR), which they describe as ‘breaks down files into their discrete components, strips away anything that doesn\’t conform to that file type\’s original specification’. The benefits they describe as ‘real-time process removes zero-day malware and exploits while avoiding the negative business productivity impact’ achieves two key objectives for CISOs; deal with the problem and do it quietly.

Last edited 4 years ago by Lewis Henderson
Javvad Malik
Javvad Malik , Security Awareness Advocate
September 4, 2019 12:02 pm

The use of Sharepoint and other cloud services to host and evade security controls continues to rise. As criminals get more wary of what works and what doesn\’t, phishing techniques continue to evolve to evade technical defences. This is why it is vitally important that enterprises train their employees to be able to spot phishing emails, so that when these mails do bypass mail filters, the users are another line of defence.

But it\’s not enough for users just to be able to spot suspicious emails, there needs to be a mechanism through which they can report them so that security teams can investigate further, and where there is a threat identified, ensure that no other instances are making it through to unsuspecting users.

Last edited 4 years ago by Javvad Malik
Stuart Sharp
Stuart Sharp , VP of Solution Engineering
September 4, 2019 12:00 pm

These attacks are just another example of the creativity of malicious actors. Attackers know that a significant number of organisations are not taking a strong enough stance when it comes to access security. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services and CRMs.
Multi factor authentication (MFA) is currently the best method by which organisations can protect themselves from such attacks, proven to prevent 99.9% of account takeovers. Whether it be a soft token, hard token, certificate or SMS, companies should look at implementing MFA across the board.

Last edited 4 years ago by Stuart Sharp

Recent Posts

Would love your thoughts, please comment.x