Cloud Security, Malware, Phishing

Phishing attack targets DocuSign and SharePoint users

DocuSign Headquarters. (Coolcaesar is licensed under CC BY-SA 4.0)

Researchers reported on Friday that cybercriminals are mimicking legitimate correspondence to actively target popular cloud applications DocuSign and SharePoint in phishing attacks designed to steal user log-in credentials.

In a blog by the Bitdefender Antispam Lab, the researchers said most of the emails use COVID-19 as a way to dupe users into clicking on a bogus document. For example, the email will ask the user to review a “Covid 19 relief fund as approved by the board of directors.”

The Bitdefender team said the phishing attack was spotted on June 24 and appears to have originated from the United States. The researchers said 33% of the fake emails reached users in the United States; 26% in Ireland; 14% in Korea; 12% in Sweden; 5% in Denmark; and 1% in Finland, the U.K., and India.

While there are no foolproof controls, A.J. King, chief information security officer at BreachQuest, said tops on the list for preventing these attacks include secure email gateways, multi-factor authentication and domain-based message authentication, reporting and conformance (DMARC).  

King added that all those controls will fail from time to time, so security teams need to invest in security awareness training so users can quickly recognize the signs of a phish. He also said companies should install a “Report Phish” button into the company’s email client so users can easily report a questionable email. Security teams can integrate the “button” with the company’s secure email gateway solution so it can do sandbox analysis of the email, automated blocking and removal from the rest of the environment if determined malicious, and notification to the corporate security team.

“Companies should also have a security operations team, properly equipped to monitor logs for alerts around impossible geographical travel, log-ins from a new location, or suspicious user activity,” King said. “They can quickly take emergency action to revoke compromised users credentials, reset tokens, and look for signs of further compromise.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.