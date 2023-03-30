Kaspersky advises caution and warns against legitimate SharePoint notifications being exploited for “Someone shared a file with you” phishing. In fact, in an attempt to obtain corporate credentials, cybercriminals hide phishing links in a file on a hacked SharePoint server. Then they distribute them through a traditional notification mechanism. These emails manage to evade easier spam filters and look more believable. Especially if the company uses this service.

The findings of Kaspersky

Recently, Kaspersky experts detected more than 1,600 malicious notifications with potential victims in Europe, North America and other reasons. While the scale of the attacks is not massive yet, businesses should be aware of the new mechanism. As well as mitigating the risks in advance. Spam filters are almost always able to detect phishing emails with a link in the body of the message. So cybercriminals are constantly refining their methods to get past security solutions.

“Someone shared a file with you”

Currently, they are not limited to HIDE phishing links on a SharePoint server, as in the previously known schemes. But they distribute them using legitimate SharePoint notifications. A Kaspersky security solution filtered over 1,600 malicious notifications between December 2022 and February 2023. Cybercriminals sought to obtain data from companies in Austria, France, India, Italy, Japan, the Netherlands, Russia, Singapore, South Korea , Spain and the United States.

How phishing works through Sharepoint notifications

This legitimate notification system makes sure that even the most employees experts in the technological field, they let their guard down. In fact, they are sent on behalf of the services of a real company and do not raise doubts, especially if you usually use SharePoint. An employee receives a standard SharePoint notification that someone has shared a OneNote file with them. This is a completely legitimate email, which can bypass the spam filter more easily than a phishing link hidden in a SharePoint server.

Pay attention to communications

An employee clicks the link that opens the mentioned OneNote file. Instead, the text of the notification contains another “communication” with a huge icon for a different file type (eg PDF) and a standard phishing link. This phishing link leads to a website that simulates the Microsoft OneDrive login page. Cyber ​​criminals use it to steal credentials of various email accounts, such as Yahoo!, AOL, Outlook, Office 365 and others.

How companies can limit the risks associated with this type of phishing

While these phishing emails are convincing, they can be distinguished by a set of red flags that can be displayed to employees.

Roman Dedenok, Spam Analysis Expert di Kaspersky

First of all, the file is unknown, as well as the sender. Colleagues generally don’t share documents without an introduction. In addition, there are other signs: a link to the OneNote file within the notification and a PDF file suddenly appearing on the server. Furthermore, the download link leads to a third-party site, whose web address is not linked to the victim’s organization or SharePoint server. The phishing site mimics the login page of OneDrive, another Microsoft service unrelated to SharePoint. To be safe, you should pay attention to all suspicious emails and check for such inconsistencies.

Don’t click if “Someone shared a file with you”

To stay protected from phishing techniques targeting small, medium and large businesses, Kaspersky recommends: