Sharepoint Phishing Scams (Campaign)

Overview

A new wave of phishing attacks is exploiting SharePoint, a widely trusted platform, to deceive users and steal sensitive information. This rapidly growing campaign uses SharePoint to host malicious PDFs containing phishing links, taking advantage of the platform’s legitimacy to bypass traditional security measures. In just 24 hours, over 500 sandbox sessions have detected phishing attempts involving this tactic, illustrating the scale and effectiveness of the operation. The campaign poses a significant threat due to its seemingly authentic appearance, making it difficult for victims to recognize the deception.

What makes this scam particularly dangerous is the multi-layered approach attackers use. The phishing attack typically begins with a well-crafted email containing a link that directs the victim to a PDF stored on SharePoint. Because SharePoint is a trusted service, users are less likely to question the legitimacy of the document. From there, additional obstacles, such as CAPTCHA challenges, are introduced to thwart automated detection systems. Only after these steps does the phishing attack fully reveal itself, as victims are redirected to a convincing imitation of a Microsoft login page designed to steal their credentials.

As phishing campaigns continue to evolve, this SharePoint-based attack exemplifies how cybercriminals are finding new ways to exploit trusted platforms and bypass security defenses. The campaign’s sophistication and scale underscore the importance of increased vigilance among users, who must now be cautious even when interacting with platforms they trust.

Targets

Individuals

How they operate

The attack begins with a phishing email that contains a link to a SharePoint-hosted PDF. Once the user clicks the link, they are directed to SharePoint, where the malicious PDF appears legitimate because it is stored on a trusted, verified service. This is one of the key features of the scam—by using SharePoint as the initial point of contact, it successfully evades many email security filters that typically flag phishing emails. The PDF itself contains a phishing link designed to lure the victim into taking the next step, often under the pretense of urgent action or account security.

Upon clicking the link in the PDF, the user may be required to solve a CAPTCHA, which further complicates the phishing detection process. CAPTCHAs are generally used as a security measure to differentiate between bots and humans, but in this context, they serve as a barrier to automated cybersecurity solutions. CAPTCHAs require human interaction and prevent simple security tools from identifying and flagging the phishing attempt. This manual intervention also adds an extra layer of legitimacy, making the victim believe the process is secure.

Once the CAPTCHA is completed, the victim is directed to a highly convincing phishing page that mimics the Microsoft login portal. The page is designed to trick users into entering their login credentials, which are then harvested by the attackers. In some cases, the phishing kit may request additional security information, such as a one-time code, adding another layer of deception. Since all actions leading up to this point take place on legitimate websites—SharePoint for the PDF hosting and CAPTCHA for added verification—it becomes exceptionally challenging for security systems to detect the scam at earlier stages.

The final stage of the scam occurs when the victim submits their credentials, which are sent directly to the attacker. At this point, the attacker can access the victim’s Microsoft or other related accounts, potentially leading to further breaches, including email takeovers, financial fraud, or data theft. In some cases, if the phishing kit detects that the traffic is coming from a security scanning tool or hosting provider, it redirects users to a legitimate website to avoid detection, further complicating any efforts to track the scam.

As these phishing techniques become more advanced, the SharePoint scam exemplifies the ongoing challenge in cybersecurity—how to protect against threats that exploit trusted platforms. This attack demonstrates the necessity for more robust detection tools that can scrutinize activity on legitimate services, as well as increased user awareness to recognize phishing red flags, even when interacting with platforms they inherently trust.

References:

• Anyrun_app