Research by Proofpoint shows that users are seven times more likely to click on malicious SharePoint Online and OneDrive links that are hosted on legitimate Microsoft domains.
In the first half of 2020, Proofpoint detected 5.9 million email messages with malicious SharePoint Online and OneDrive links. While these messages made up about 1% of the total sample of messages with malicious URLs, they represented more than 13% of user clicks. Users were four times more likely to click on malicious SharePoint links and 11 times more likely to click on malicious OneDrive links.
The research also shows that these messages were distributed from over 5,500 compromised tenants, which represent a large portion of Microsoft’s enterprise customer base.
Malicious SharePoint/OneDrive Links and Account Takeover Lifecycle
SharePoint phishing usually starts with cloud account compromise. Once in control of the account, the attacker uploads a malicious file and then changes the sharing permissions of the file to “Public” so the new anonymous link can be shared with anyone. The attacker emails the link or shares the link with the user’s contacts or other targeted accounts, including external ones. When the recipients open the file and click on the embedded malicious link, they are phished, which starts the whole cycle again. These attacks can lead to data theft or wire fraud such as supply chain fraud.
A user receives an email with a shared link to a pdf file (INV_1100110.pdf) that looks like an invoice. When the user clicks on the link in the pdf file, he is directed to a phishing site that is a fake OneDrive sign-in page.
Malicious OneNote files can also be challenging since they cannot be downloaded and sandboxed. Detection requires an additional step – web-scraping before the embedded links can be analyzed.
Microsoft Form Attack:
In this example, the cybercriminal shares a Word document with a link to a publicly shared Microsoft Forms file (the fake login page), which he uses to harvest Office 365 credentials. Given this attack utilizes legitimate Microsoft services and is pure social engineering, it poses more of a challenge to detect and even harder to block/mitigate if you lack visibility into both email and cloud environments.
Proofpoint has also observed some attackers hosting malicious content in one tenant while utilizing a compromised account such as that of a VIP in a second tenant. Sharing the malicious link from the account of a more fitting user would increase the attackers’ chances of success.
Top Collaboration Services Domains with Clicked-On Malicious Links
SharePoint Online and OneDrive are not the only collaboration services domains that are abused by attackers. A notable one is Sway, the new Microsoft app for creating and sharing interactive content such as reports and newsletters. A second one is storage. Googleapis, which is a file (like a software patch) hosting service that attackers use for tech support scams and more.
Defending Against Hybrid Email and Cloud Threats
To defend against hybrid attacks like SharePoint and OneDrive phishing, organizations must gain visibility across email and cloud threat vectors and address the attack chain holistically. CIOs need to understand the very attacked people (VAPs) and the risks they pose to the organization:
• Who is being targeted with high-priority threats?
• What techniques are being used to attack users?
• Who has clicked on malicious links?
• Which users are prone to clicking?
• Which accounts are compromised?
Which compromised accounts show suspicious file activity?