Application security, Threat Management, Malware, Phishing

Malicious SharePoint and OneDrive links are a phishing scammer’s dream

Attackers are exploiting the rapid adoption of cloud-based collaboration services such as Microsoft’s SharePoint Online and OneDrive by leveraging them as a social engineering tool to trick users into clicking on malicious links, often for the purpose of wire fraud or supply chain fraud.

In an analysis this week, cybersecurity firm Proofpoint revealed that in the first half of 2020, it collected approximately 5.9 million email messages featuring malicious SharePoint Online and OneDrive links. While these emails constituted only about one percent of all messages containing malicious URLs, they represented more than 13 percent of all user clicks.

This report comes on top of another report this week that warned of similar tactics to steal a corporate user’s login credentials using Microsoft Teams.

Users were found to be seven times more likely to click on a malicious SharePoint or OneDrive link that's hosted on a legitimate Microsoft domain. Recipients were four times more likely to click on a SharePoint phishing link, and 11 times more likely to click on a malicious OneDrive link.

Experts say could-based collaboration services are ideal tools for adversaries to abuse for social engineering because if the bad actors can compromise a person’s actual cloud-based account, they can then reach out to their contacts and fool them into thinking the email contains an invoice, voicemail or similar legitimate communication from a partner or colleague. "These attacks mimic the way people do business," Itir Clarke, senior product marketing manager at Proofpoint, told SC Media.

Proofpoint observed about 5,500 compromised Microsoft tenants, “which represent a large portion of Microsoft’s enterprise customer base,” the company said in a blog post.

Oliver Tavakoli, CTO at Vectra, agreed that these kind of phishing scams tend to be more successful “since the email is sourced by an internal party, rather than being from an external party pretending to be internal, and the links to SharePoint or OneDrive files reinforce to the victim that this is an internal communication.”

Tom Pendergast, chief learning officer at MediaPRO, noted that attackers are simply jumping on the same bandwagon as their targets.

“Document-sharing and collaboration links are now eclipsing attachments for document sharing, so it’s natural that cybercriminals are moving in the same direction,” said Tom Pendergast, chief learning officer at MediaPRO.

“These links, especially from SharePoint, can look pretty obscure and complicated even when they are legit. So people get used to clicking on strange-looking but real links, thinking they have the context to validate it’s real. That itself is a problem, but if you’re co-worker’s email account gets hijacked and that’s where the link comes from? Now you’ve got a known sender and an expected form of link. It’s the perfect setup for a scam.”

The COVID-19 pandemic and its resulting remote-workforce culture has only accelerated cloud adoption and the malicious targeting that has followed.

"Employees and organizations are using collaboration platforms more and more, especially with the increase in remote workers," said Hillary Baron, program manager, research, with the Cloud Security Alliance.

These tools are often sanctioned by their organization for use so they’re seen as credible. Hackers are then taking advantage of this by mimicking what is familiar and trusted by employees.

URLs are rewritten to protect users on any device or network as well as provide real-time sandboxing on every click

"Change is generally good for attackers and bad for defenders,” said Tavakoli. “A rapid migration from one mode of working to another creates uncertainty in the minds of general users as to what would be normal in this new world. And attackers who rely on duping users exploit that uncertainty.”

“Furthermore, an account takeover of days past, when your Exchange server was locally hosted in your network, was not as easy to leverage for this type of an attack, as it also required the attacker to have access to a system on the organization’s network,” Tavakoli continued. “Now an account which has been taken over can be directly utilized from the internet, thus reducing the level of scrutiny it receives.”

How the scam works… and how to prevent it.

According to Proofpoint, after a typical SharePoint or OneDrive account compromise, the attackers upload a malicious file and change the sharing permissions of the account to “public” so that anyone can access it. The malicious link is then shared with the compromised users’ contacts or other targeted individuals.

Sometimes the link is a unique redirect URL “and hence can be difficult to detect, as it would not appear on any URL reputation repository,” Proofpoint explained.

Other similarly abused cloud-based services include Sway, Dropbox, Googleapis, Google Docs, Google Drive, and Box.

Proofpoint also said that some attackers have strategically placed malicious content in one compromised account while using a second account – perhaps one belonging to an important or credible individual one might a communication from – to send the link. “In addition, even if the compromised account in the second tenant is discovered, the malicious file hosted in the first tenant would not be taken down. And so, the attack would persist,” Proofpoint noted.

Proofpoint said this particular phishing scam is difficult to detect “and even harder to block/mitigate if you lack visibility into both email and cloud environments.”

Suggestions from experts to reduce the overall threat included improving cloud visibility training, adopting a Cloud Access Security Broker solution

Chris Hazelton, director of security solutions at Lookout, said that organizations moving to the cloud should “move protections from phishing and social engineering attacks to all the endpoints used to access corporate cloud data. For instance, "privacy centric monitoring should take place on every endpoint accessing corporate data,” he added.

Hazelton also advised beefing up training to “help users understand that trusted websites can be used in phishing attacks. Users need to go beyond just inspecting web links. They need to make sure that the context in which a cloud service is being used makes sense."

Baron also recommended installing "technical solutions for Zero Trust networking such as Software Defined Perimeters (SDP), Virtual Private Networks (VPN), and Network Access Control (NAC)" to protect remote workers.

Other experts and security companies recommended investing in Cloud Security Access Brokers, predictive sandboxing, employee/role-based risk assessments (to determine who is likely to be targeted), identity and access management, multi-factor authentication for endpoints and cloud-based services, and more.

SC Media also reached out to Microsoft to inquire how the company recommends users of its cloud-based collaboration services defend themselves against this trending threat.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.