Skip to content

In recent weeks, Scotland has seen a rise in sophisticated phishing attacks exploiting SharePoint servers to deceive unsuspecting victims. Attackers are using legitimate SharePoint servers to host malicious PDFs, which are then distributed through seemingly authentic emails. This strategy significantly increases the likelihood of their success, as the emails originate from legitimate, compromised accounts. 

How the Attack Works 

  1. Malicious PDF Distribution: The attackers begin by embedding phishing links within PDFs and hosting these documents on legitimate SharePoint servers. 
  2. Email Delivery: They send these PDFs to potential victims from compromised email accounts, making the emails appear trustworthy. The compromised accounts are often those of colleagues or known contacts, increasing the likelihood of the recipient opening the email. 
  3. CAPTCHA Verification: Upon opening the PDF, the victim is prompted to solve a CAPTCHA. This step adds a layer of perceived security, lulling the victim into a false sense of trust. 
  4. Phishing Page: After solving the CAPTCHA, the victim is redirected to a phishing page that mimics a genuine Microsoft login page. Here, the victim is prompted to enter their login credentials. 
  5. Credential Harvesting: The attackers harvest these credentials and use them to compromise additional accounts, perpetuating the cycle. They then send further phishing emails from these newly compromised accounts, continuing the spread of the attack. 

Why This Attack is Particularly Dangerous 

The use of legitimate SharePoint servers and compromised email accounts makes this phishing campaign especially dangerous. Victims are more likely to trust emails and links coming from familiar sources, significantly increasing the attack’s success rate. 

Additionally, the use of a CAPTCHA provides a false sense of security. Most users associate CAPTCHAs with legitimate websites and may not realise they are being scammed until it is too late. 

Figure 1 Campaign run – app.any.run 

Protecting Yourself Against Phishing Attacks 

Here are some steps to protect yourself from falling victim to such phishing attacks: 

  1. Verify Email Sources: Always verify the sender’s email address and be wary of unexpected emails, even if they appear to come from known contacts. 
  2. Inspect URLs Carefully: Before entering any login information, inspect the URL of the page to ensure it matches the legitimate website’s domain. 
  3. Use Multi-Factor Authentication (MFA): Enable MFA on your accounts to add an extra layer of security. Even if your credentials are compromised, MFA can prevent unauthorised access. 
  4. Educate and Train: Regularly update yourself and your team on the latest phishing tactics. Training and awareness are key defences against these attacks. 
  5. Report Suspicious Activity: If you suspect you’ve received a phishing email, report it to your IT department or email provider to help prevent the spread of the attack. 

By staying vigilant and informed, you can protect yourself and your organisation from falling victim to these sophisticated phishing campaigns. 

Related links