Cybercriminals have found a way to invade corporate environments through a phishing scheme that exploits legitimate file hosting services like Microsoft’s SharePoint. This sophisticated approach to data theft has created a social engineering method that evades detection and increasingly expands criminals’ reach to other accounts, the more victims successfully use it. This development signifies an evolution in cybercrime tactics, shifting from individual-targeted scam emails to leveraging trusted work platforms to compromise secure login details and company information. Targeting organizations through SharePoint facilitates various malicious activities, including financial fraud, intellectual property theft, and data exfiltration.
This article examines the surge in SharePoint phishing schemes used by criminals to infiltrate the corporate landscape through their employees.
Organization-Focused Phishing Schemes
Phishing remains one of the most common tactics employed by cybercriminals, with over 3.4 billion phishing emails sent daily. Traditionally, phishing involves sending deceptive emails or messages designed to trick individuals into revealing personal data. Phishing emails usually persuade individuals to click on malicious redirection links scattered throughout the email and provide personal information. As successful as these tactics are, the frequency of these emails and messages has become too distinct and easily detectable by the public and modern email security infrastructure, such as extended detection and response.
This has prompted criminals to seek more sophisticated methods and improve their phishing tactics, techniques, and procedures, leading them to shift from generic phishing to targeting their deception to individuals within organizations and preying on their trust and familiarity.
Cybercriminals’ SharePoint Phishing Attack
This scheme works by exploiting shared systems, third-party access points, or internal communication tools that deceive employees into believing they are interacting with genuine services. These attacks typically affect one person at a time. However, instead of settling for individual accounts, the scheme enables attackers to gain proximity to a large number of individuals in one or more organizations using pages users perceive as legitimate Microsoft SharePoint sites.
This phishing scheme works through:
Sent emails appearing to be SharePoint notifications with subjects such as “New Document Shared with You.”
Embedded links that lead users to documents or fake Microsoft 365 login pages.
“Validation pages” that harvest users’ credentials, such as usernames and passwords, to access Microsoft accounts and use information for more phishing attempts within the company.
After an individual enters their username and email, an authentic Microsoft validation code or one-time password is sent to the submitted address, which further adds to the notion that the sender and content are legitimate. After the code is entered into SharePoint, the user is successfully authorized and can log in or view the ‘shared document,’ which might download malware.
This multi-layered plan involves various users and leads to gaining access to the organization’s valuable financial accounts and confidential data.
An organization’s security measures are usually secured with IT specialists, AI cybersecurity, and reinforced traditional security measures. The one vulnerable point that threat actors can exploit is the company personnel—individuals who have access to the company systems. The public is less likely to have their guard up when using company-owned devices or accounts, as they assume the company’s security is fortified and no cyberattacks can take place. This SharePoint phishing scheme targets this trust and familiarity.
Why Target Microsoft’s SharePoint?
Microsoft SharePoint is a trusted platform, but its interface has given hackers an opening. Using the site, criminals can disguise their links as legitimate SharePoint file shares, which users innocently click and interact with. These links usually lead users to credential-harvesting pages or malware downloads disguised as company-authorized pages. These pages cannot be skipped by test accounts or other domain accounts, and since users are under the impression that the page is work-related, they will continue to enter their personal information to proceed.
Other reasons criminals have increased phishing activity on SharePoint lie in the platform having:
Widespread use
SharePoint is a widely adopted collaboration and document management platform used frequently within businesses of different sizes. This gives cybercriminals easy access to a vast pool of potential victims.
Selective security scanning
Traditional scanners prioritize scanning external and unknown websites. Since this phishing attack takes place within SharePoint, a trusted domain, scanners might not flag malicious actions.
Gateway to various linked systems
Compromising a SharePoint account within Microsoft 365 means gaining access to other connected systems such as email, OneDrive, and Microsoft Entra ID. Cyberattackers can carry out business email compromise or lateral movement within the network.
Limited link availability, which hides phishing schemes
Just as with other pages hosted on SharePoint, the phishing pages are only accessible through specific links and are available for a limited time. This makes security scanners, sandboxes, and automated crawlers unable to identify or detect malicious domains.
Through this platform, cybercriminals are able to bypass network security, hide within SharePoint files, and operate for a longer duration without being detected. Additionally, if the links are not removed or reported, criminals can reuse them repeatedly in future attacks on individuals of the same or different organizations.
Recommended Microsoft Anti-Phishing Solutions
While an organization cannot predict when phishing attempts might occur or immediately identify false SharePoint emails from legitimate ones, there are a few helpful mitigation strategies that Microsoft recommends.
Users can improve authentication and access control by:
Enabling multi-factor authentication.
Utilizing Microsoft’s conditional access policies.
Implementing passwordless sign-ins.
Regularly viewing and updating access rights.
Leveraging Microsoft Edge’s Defender SmartScreen solutions.
By encouraging employees to implement these ready-to-use strategies, organizations can significantly reduce security vulnerability when using SharePoint and protect their sensitive data.
Conclusion
No longer confined to basic phishing schemes, cybercriminals have improved their tactics to more refined methods using trusted work platforms such as Microsoft’s SharePoint website. Phishing through SharePoint allows criminals to exploit the inherent trust placed in the platform and potentially gives criminals access to large volumes of personal credentials if successful. Businesses can mitigate the spread of this phishing tactic by diligently implementing robust authentication, refining email protection, and cultivating a security-aware culture. Through this approach and leveraging Microsoft security measures, they can fortify their digital workspace against persistent phishing attempts.
