Phishing scammers are really good at taking advantage of a situation. Take the Covid-19 pandemic. The changes to business during this time have been unprecedented. Employees being moved rapidly to home working, facilitated by the use of digital technologies. This created a perfect storm that phishing scammers took advantage of. The result, a 30,000% increase in Covid-19-based threats, aided by weaponized websites and phishing emails. Helping to achieve the malevolent aims of the scammer, these malicious websites are often based on the collaboration portals we rely on so much, especially during remote working.
In the first half of 2020, SharePoint, OneDrive, and other portals have proved an ideal way to improve success rates of a phishing campaign. This is why…
Weaponizing online collaboration portals
The evolution of phishing is, of course, in line with the evolution of technology. Until fairly recently, a typical method used in phishing emails to install malware on a device, was to carry the malware as an infected attachment, usually an Office document or PDF. This method matched employees use of emails to share documents. This method was successful and continues to this day. However, as businesses turn increasingly to the use of online collaboration portals, employees are less likely to share documents via email. In response to this change, cybercriminals are changing their tactics. Instead of phishing emails containing malware-infected documents, scammers are piggy-backing on the way online collaboration portals work. That is, sending emails with shared links to documents or other files. All such platforms are at risk of being misused by phishing campaigns via malicious links in emails branded to look like the portal.
However, a current focus of these phishing scams is on SharePoint and OneDrive.
How the SharePoint and OneDrive phishing scam works
Vendor, Proofpoint, alerted the world to the latest collaboration portal scam involving SharePoint and OneDrive. One of the most worrying aspects of these phishing campaigns was the high success rate: Proofpoint found that users were 7 times more likely to click on a SharePoint/OneDrive malicious link. There are key reasons for this that lie at the heart of how these types of scams work.
Phishing is as much about human behavior as it is about technology. Cybercriminals know that tricking users into performing an action can effectively do the hard work for them. Getting the human user to perform this action relies on ‘trust’. It is this trust element that scammers use when they spoof well-known brands, such as SharePoint and OneDrive.
In Q1 and Q2 of 2020, 5.9 million email messages containing malicious SharePoint and OneDrive links were detected. This may sound a lot, but it only represents 1% of the total numbers of malicious phishing emails. An important point, however, is that this 1% represented 13% of user clicks - clearly, using the SharePoint and OneDrive brands to carry malicious links, works…users click as they are tricked into believing it is a legitimate email asking them to collaborate on a piece of work.
The goal of these phishing emails is account takeover. Proofpoint were able to use their research to analyze the lifecycle of the phish, which is broken up below into steps:
Step 1: A cloud account is compromised - this can be achieved using a spear-phishing email.
Step 2: A malicious file is uploaded to the compromised account. Sharing permissions are set to “Public” and the anonymous link is generated and shared.
The Proofpoint researchers give several examples of malicious files:
Example 1: A PDF file that presents as an invoice. The invoice requires the user to click on a link. This then takes them to a spoof OneDrive login page which steals any credentials entered into the sign-in fields.
Example 2: A OneNote voicemail file hosted on SharePoint. The OneNote file contains malware. Any user who opens the file to listen to the voicemail could become infected with the malware.
Step 3: The link is sent out to both internal and external targets - this link is usually a redirect URL and difficult to detect using conventional methods.
Step4: The recipient opens the email and if they click the link, they are taken to a spoof but legitimate looking SharePoint/OneDrive login page. The process then starts again, ad infinitum.
Proofpoint found 5,500 compromised tenants which is a large proportion of Microsoft’s enterprise customer base.
Once login credentials are stolen, they can be used to access the real accounts at SharePoint or OneDrive and steal company information, compromise further accounts, and even carry out more scams including Business Email Compromise (BEC).
How to prevent your organization becoming a victim of an online collaboration portal scam
Research from a consortium made up of Google, PayPal, Samsung, and Arizona State University, looked at the threat levels from phishing. The resulting report makes an important observation: Successful attacks use highly sophisticated social engineering augmented by detection evasion techniques. The report also noted that the top 5% of attacks were responsible for 78% of successful clicks to a malicious site. Simply put, phishing scams are becoming harder to prevent.
Security awareness alone is not enough to stop users clicking on malicious links and being manipulated into entering login details and other sensitive information. Phishing scammers are masters of clever behavioral manipulation. Like all approaches to security threat mitigation, a proactive and layered approach works best. Enterprises must shore-up security awareness training using powerful and smart tools that prevent a user being taken to a spoof website even if they do click on a malicious link. These tools should include the use of a Web Content Filtering platform. This prevents employee from navigating to dangerous websites and reduces the chance of corporate data breaches and other cyber-attacks.