SharePoint and OneNote Being Used to Harvest Credentials

Following up on a received spam email, researchers from Naked Security have uncovered a phishing scheme designed to gain access to credentials through two popular Microsoft products, SharePoint and OneNote.

Initially, researchers received a legitimate-looking email that was actually from the sender named in the from line. The sender was a legitimate engineering business whose account was, apparently, hacked. The researchers hypothesize the account was used to contact victims in the account address book, and thus gained trust in enticing the recipient to open the phishing email.

The purpose, it seems, was to use one account to compromise as many as possible. The email contained an attachment that appears to be a SharePoint link, which would, in turn, allow access to a OneNote file. This link had some pointers as to its validity. The company from which the email came is an engineering company and the link relates to construction.

Contained within the OneNote file was another link, this time it was presented as an opportunity to review the file. This is where the attacker attempted to set their hook. The other source of concern for researchers is the PDF file in the OneNote project. The link is actually there to take you to a login page, which is now hidden or offline as of this writing. From this point, there are numerous red flags.

First, the name of the company is wrong. Instead of using Structural in the company name, the actor used the word Surgical. The URL used to host the login page is hosted in Kyiv in the Ukraine. It is at this point the login page is revealed. Login is necessary to access an Excel file. This slip also adds to the suspicious nature of the email.

Other factors that show the non-legitimacy of the phishing email are present. The login page also provides numerous authentication choices. Obviously attempting to login through any of these methods sends credentials to the attacker, thus completing the scam.