Nov 02, 2024

When Sharing Isn’t Caring: How Hackers Exploited Microsoft SharePoint for Phishing and Malware

Oct 1, 2024

Hackers Exploit Microsoft SharePoint

As the COVID-19 pandemic loomed large back in 2020, many businesses suddenly found themselves thrust into a situation where they needed to embrace new digital practices to stay afloat. Working from home was now mandatory in many cases and companies that had never grappled with remote servers, VPNs, and managing access privileges in a decentralized work environment were forced to adapt quickly. Microsoft SharePoint became a go-to tool for many companies that needed a quick solution for file sharing and data access with easily configurable permissions.

Even though the pandemic has subsided, and many businesses have opted to bring employees back into the office (at least part-time), many organizations still utilize Microsoft SharePoint as the keystone of their operation. But what happens when the tool you rely on to run your business is turned against you? In July, this very nightmare scenario began making headlines around the world. Microsoft SharePoint was compromised, and hackers were using it as a tool to begin distributing malware. These intrusions were almost undetectable. They made full use of Microsoft’s built-in security features to lull users into a false sense of security before stealing their credentials.

In this article, the cybersecurity experts at Blade Technologies investigate what went wrong with Microsoft SharePoint, how it’s being used for phishing and malware distribution, and what steps your business can take to minimize the risk of becoming a victim.

 

What is Microsoft SharePoint?

To begin, it’s important to understand what SharePoint is and how cybercriminals are exploiting it.

Microsoft SharePoint is a bundle of different content and access management software companies use to manage file storage, sharing, and permissions across their whole organization. Think of it as a giant cloud server that allows employees to access and collaborate on files wherever they are. Companies using Microsoft 365 can create and launch a SharePoint server where files can be uploaded and stored.

The server feature has made SharePoint an extremely popular choice for organizations with employees who work from home for at least part of the week. It allows the entire company to share and work on documents and files seamlessly. Until recently, it was also seen as a very secure method of file hosting. SharePoint allowed administrators to create user groups, set permissions, and even implement multi-factor authentication (MFA) methods such as one-time passwords.

 

How the SharePoint Phishing Attack Works

In the past, hackers have created emails and links that were meant to look like official SharePoint documentation to fool users into handing over their credentials. But what makes this attack different is that attackers are hosting the infected files on legitimate SharePoint servers. On your end, it may look like you’re getting an email from a colleague sharing a PDF with an analytics report, when in reality, the file link that’s been sent comes from a hacker and contains malicious code designed to infect your machine and steal your credentials. They may even use SharePoint links to redirect you to a fake site that looks and behaves exactly like Microsoft SharePoint to trick you into typing in your account credentials.

However, it doesn’t stop there. Hackers are going a few steps further to ensure accessing the file looks and feels exactly like accessing a file as you normally would across SharePoint. The file can be marked as secure, and clicking the link can trigger SharePoint’s prompt for a one-time password, leading many to believe the file is the real deal. As an added bit of cybersecurity window dressing, hackers can set their infected files to even prompt users to enter a CAPTCHA, further adding to the appearance that the file is completely secure.

The reason these attacks are so effective is that they completely evade detection, both from automated systems designed to keep an eye out for attempted breaches and from the most scrupulous of employees who may be looking for telltale signs that something is a potential phishing attempt or scam. By utilizing legitimate SharePoint servers, one-time passwords, and CAPTCHAs, these phishing attempts read green across the board, getting a complete pass from security systems. In essence, hackers have found a way to turn the security systems we use to protect ourselves against us.

 

How to Spot a Potential SharePoint Phishing Attempt

The biggest challenge with SharePoint phishing is that it’s designed to look and feel so ordinary. For a business that regularly has employees sharing and opening files and documents through SharePoint, a phishing email hidden among the rest may be nearly impossible to detect. However, victims have reported some potential telltale signs. Some of the file links have come with a message encouraging users to view a report or look at document changes, but many users report receiving an email from a colleague with a SharePoint link to a document with very little context.

If you are not expecting to hear from a colleague about a particular project, or you don’t normally work with the person sending a link, take a second to assess the situation. Contact the person either over the phone or by using whatever instant messaging system your company uses, like Slack or Microsoft Teams. Ask them if they meant to send a document to you.

Be wary of unsolicited documents shared with you from clients or people you may work with who are outside of your organization. Hackers may find it easier to impersonate these people because you have enough contact and are familiar with them and their role but don’t necessarily interact with them every day.

 

How to Stop Your Business from Becoming a Victim

Aside from keeping an eye out for random file shares, there are some steps you can take to minimize your chances of becoming a victim of SharePoint phishing attempts. Even if you do fall for it, preparing properly beforehand can reduce the damage a breach can cause.

 

Have an Access Policy in Place

It’s important for any company to have an administrative access policy. This is especially true for businesses that have a lot of digital collaboration or store a lot of data in cloud servers. Determine who is responsible for maintaining all your systems, who has administrative-level access, and what the digital permissions hierarchy will look like for your company. Chances are, not everyone is going to need full access to your network or files. Compartmentalize where possible and ensure only teams that directly work with specific project files are allowed access.

Restricting who has access to which systems, folders, and files makes it much harder for hackers to gain access to your entire system in the event of a breach. This restricts how much damage a cybercriminal can inflict and slows down their movement through your systems, buying you additional time to identify and isolate the threat.

Verify Emails and URLs

Oftentimes, attackers may use an email that looks very close to one you would expect from a colleague, vendor, or client, but with a slight variation. Make sure that if you receive an unsolicited file link, you check to see who it’s from. If the email address isn’t familiar to you, or you notice something is off about the format, do not open the email.

Sometimes this is harder to do because the attacker has already compromised a legitimate email account within your network. In these cases, it’s important to check what URLs you’re being sent to from links and documents. One tactic currently observed by cybersecurity researchers involves sending a legitimate document to a user but redirecting them to a fake Microsoft SharePoint login or verification page where your credentials are stolen after you enter them to access the document. Always check the URL to ensure you are on a real Microsoft SharePoint page.

Report Suspicious Activity

One of the main reasons these attacks are so effective is because they’re hard to spot, especially if you don’t know you should be looking for anything in the first place. Let people in your organization know phishing attempts have been made, and what to look out for to remove the uncertainty and thwart phishing attacks at the social engineering level. Once people in your business have caught on to what hackers may be attempting, the likelihood you’ll fall prey to a SharePoint attack significantly decreases. If you’re an employee and see something suspicious, report it to the person designated in your cybersecurity response plan. If your company receives a report of potential phishing activity from an employee, compose and send an email or other communication to everyone outlining what was reported, the suspicious activity you’ve seen, what employees should look out for, and what to do if they spot something.

Train Your Employees

Phishing attacks count on employees lacking the knowledge of what to look for and how to react to be successful. The best defense against phishing is to educate your employees. Normally, company training combined with phishing simulations would be an effective method to help employees learn how to spot a phishing attack and how to deal with it. But because hackers are using legitimate filesharing methods combined with security features like MFA, the playbook needs to change. Employees need to be trained specifically on how to deal with strange filesharing requests, what to look for to determine whether a file is real or not, who to contact to verify documents and communications, and what to do if they’ve fallen for a SharePoint phishing scam.

Armed with updated knowledge of common vectors for phishing attacks, it’s much less likely one of your employees will fall victim to nefarious hacking schemes.

Real-Time Network Monitoring

With phishing schemes as slippery as the Microsoft SharePoint campaign currently making their way around the world, it’s more important than ever before to plan what to do in the event your systems are breached. On average, businesses usually don’t find out for days that a breach has occurred, well after a cyberthief has stolen valuable information or had time to wreak havoc on internal systems.

Real-time network monitoring services are designed to help you detect and stop cyberattacks in their tracks. They constantly monitor your network for any suspicious activity and alert you of telltale signs that a breach is currently in progress. With this information, you can close off network access and prevent hackers from getting any further, safeguarding valuable data. Along with a suite of other expert cybersecurity services and breach remediation solutions, Blade Technologies offers network monitoring services to give you constant insight into what’s happening with your company’s data.

 

Partner with Blade Technologies to Protect Against SharePoint Hacks

The latest Microsoft SharePoint phishing schemes indicate a worrying trend for cybercrime. The methods hackers are using to get their hands on sensitive data are getting more and more complex. It’s becoming increasingly difficult to tell the difference between a malicious attempt to steal data and an honest filesharing collaboration or communication between colleagues. Now more than ever before, it’s important to have a cybersecurity partner who specializes in the latest technologies designed to keep your business safe.

Blade Technologies has decades of experience protecting businesses from the threats lurking unseen in cyberspace. As business technologies have grown to be more connected, our services have adapted to cover new weak points to give our clients peace of mind. Whether you need help identifying and patching potential holes in your network security or want a partner with network monitoring capabilities to watch your back, we’ve got you covered.

Speak with a Blade cybersecurity expert today, and let’s craft a network solution together to meet the needs of your growing business.

Let’s Talk Cybersecurity

Contact Us

 


Back to News