A major new phishing campaign has been found using compromised SharePoint sites and OneNote documents.
According to researchers at Cofense, criminals are looking to lure in victims from the banking sector to fake landing pages in an attempt to steal login details.
The campaign uses phishing emails sent from compromised accounts asking the targets to review a legal assessors proposal via an URL embedded within the message.
However doing so sends the victim to a compromised SharePoint site created using a hacked account and controlled by the criminals. This site hosts a fake OneNote document which is illegible, with the victims instead asked to download the full version via an embedded link.
This in turn redirects the victim to the phishing site, which hosts a fake OneDrive for Business login page with a message displayed above the login form saying that "This document is secure, please login to view, edit, or download. Select an option below to continue."
However entering their login details, either with an Office 365 account or another email provider, will see their email information handed over to the hackers.
The attack is made possible by a security flaw that means domains used by Microsoft's SharePoint web-based collaborative platform are almost always overlooked by secure email gateways which allows their phishing messages to regularly reach their targets' inboxes.
"SharePoint is the initial delivery mechanism to deliver a secondary malicious URL, allowing the threat actor to circumvent just about any email perimeter technology," Cofense said.