Hackers Leverage Microsoft Office SharePoint for Nefarious Phishing Attacks

Saturday, May 1st, 2021 | , ,

Researchers at Cofense have discovered a phishing campaign in which hackers don a Microsoft Office SharePoint disguise and are able to successfully bypass security email gateways. This past Tuesday, researchers claimed this new attack as evidence against sharing of documents via Microsoft’s widely used SharePoint collaborations platform. The phish is targeting Office 365 users with a legitimate-looking SharePoint document that claims to urgently need an email signature.

Like most phishing campaigns, this one also includes spoofed emails that contain grammatical and spelling errors, giving users hints to its malicious intentions.

In its X-Force Threat Activity Report, IBM labelled the phish a high-risk threat and gave these recommendations:

  • Ensure anti-virus software and associated files are up to date.
  • Search for existing signs of the indicated incidents of compromise (IoCs) in your environment.
  • Consider blocking and/or setting up detection for all URL and IP based IoCs.
  • Keep applications and operating systems running at the current released patch level.
  • Exercise caution with attachments and links in emails.

Once a system is compromised thanks to a successful phish, the threat actors then set their sights on stealing information, encrypting systems, and holding the information ransom. The attackers are using an old vulnerability, CVE-2019-0604, to get into their victim’s systems. CVE-2019-0604 is a high-severity CVE that can lead to remote code-execution that was patched in March of 2019 but still finds use to this day. In October of 2020, Microsoft warned that Iranian-state threat actors were using CVE-2019-0604 to exploit remotely unpatched servers and to then implant a web shell to gain persistent access and code execution.

Atlas recommends following industry standards regarding training employees to spot phishing attacks and to never follow untrusted links.

Further Reading:

Share this: