A new SharePoint phishing scam has been detected that attempts to steal Office 365 credentials. The scam emails being sent in this campaign are similar to those used in countless Google Docs phishing attacks, which appear at face value to be attempts to collaborate through the sharing of files. These scams are often used to spread malware, with the documents often containing malicious macros or links to websites where malware is silently downloaded.

These brand impersonation attacks use an email format that is identical to those used in genuine messages. The phishing emails contain logos, formatting and links that makes the messages identical to legitimate messages requesting collaboration on a project.

This SharePoint phishing scam includes a hyperlink to a genuine SharePoint document, which may not be flagged as malicious since the file itself does not contain malware.

The SharePoint file advises the user that the content they are looking for has been uploaded to OneDrive for Business and a further click is necessary to access the file. A hyperlink named “Access Document” is included in the SharePoint file along with the genuine OneDrive for Business logo and appropriate graphics. At face value the document does not appear malicious, although checking the destination URL of the link will reveal that it directs the user to a suspect website.

It is that website where the phishing attempt takes place. After clicking the link the user is presented with a login window for Office 365 and their Microsoft login details must be entered. Entering Office 365 credentials at this point will pass them to the criminals behind this campaign. The user is unlikely to realize that they have been successfully phished as after entering credentials they will be directed to a genuine Office site.

This SharePoint phishing scam appears to target businesses. Business users are likely to be used to collaborating using SharePoint and are therefore more likely to respond. Gaining access to a business Office 365 account is more lucrative for the attackers, allowing them to access to email accounts to use in further phishing campaigns and access to data stored in those accounts and other sensitive data.

Email addresses for business users can easily be located through sites such as LinkedIn or lists of business email addresses could be purchased on the dark web and hacking forums.

This SharePoint phishing scam, Google Docs phishing scams, and similar campaigns spoofing Dropbox are commonplace and highly effective. They take advantage of familiarity with these collaboration services, trust in the brands, a lack of security awareness, and business employees that do not stop and think before clicking.

Preventing these attacks requires technological solutions to stop the messages from being delivered. Security awareness training can be highly effective at conditioning employees to stop and think before taking any action, while web filters can block these attacks by preventing malicious URLs from being visited. Without these controls in place, businesses will be vulnerable.