Researchers from the Microsoft Security Intelligence found that threat actors have launched a new "sneakier than usual" phishing attack campaign targeting organizations using Office 365 that involves the use of legitimate-looking emails and several techniques, including an Office 365 phishing page, compromised SharePoint site and Google Cloud web app hosting to evade phishing detection, ZDNet
"The original sender addresses contain variations of the word "referral" and use various top-level domains, including the domain com[.]com, popularly used by phishing
campaigns for spoofing and typo-squatting," the team said in a tweet.
Microsoft said that attackers have been leveraging the Microsoft SharePoint display name to lure link clicks, while the email pretends to be a "file share" request to access different Excel files. Within the email are two URLs having malformed HTTP headers, the first of which is a Google storage resource redirecting to an AppSpot domain that requires user sign-ins before the appearance of an Office 365 phishing page, while the second URL found in notification settings redirects to a compromised SharePoint site.
"The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages," said Microsoft.