A significant phishing campaign is exploiting Microsoft SharePoint servers by hosting malicious PDFs that contain phishing links. This sophisticated attack has seen a surge in recent activity, with over 500 phishing attempts detected in just 24 hours. The campaign is dangerous because it uses legitimate SharePoint services to host the phishing documents, making detection challenging for both users and security systems.
The phishing attack unfolds through a series of deceptive steps. Victims receive an email with a link to a SharePoint-hosted PDF, which contains another link. After clicking, the victim is prompted to solve a CAPTCHA, adding an extra layer of legitimacy. Finally, they are directed to a phishing page that mimics the Microsoft login page, which may include additional complexities like one-time codes to further deceive users.
The use of SharePoint servers makes these phishing attempts difficult to detect with traditional security mechanisms. Legitimate-looking sites and CAPTCHA prompts create challenges for automated detection systems. In response, several measures have been introduced, such as tagging suspicious documents as “possible-phishing,” adding a “sharepoint” tag for better management, and providing warnings in sandbox sessions to alert users.
To combat these phishing attacks, users should be cautious of unexpected SharePoint file sharing notifications, verify URLs before entering credentials, and use advanced email security solutions. Ensuring multi-factor authentication and keeping security software up-to-date are also crucial steps in protecting against such sophisticated phishing schemes.
