Summary:
ANY.RUN, an interactive malware hunting service, warned on X (formerly known as Twitter) of a massive phishing campaign that is abusing SharePoint to store PDFs containing phishing links. In a span of 24 hours ANY.RUN says it observed over 500 public sandbox sessions with SharePoint phishing. Victims are being targeted via invoice-themed emails containing links designed to redirect them to a SharePoint-hosted PDF. Inside the PDF is another link, which if clicked on, takes the victim to a phishing page masquerading as the Microsoft login page. Before the victim is designated to this page, they are first prompted to solve a CAPTCHA. In some cases, ANY.RUN notes that victims are required to enter a one-time code for Microsoft before they can open the PDF file, which adds an additional layer of complexity.

Security Officer Comments:
The use of legitimate services like SharePoint to host malicious PDFs highlights an attempt by actors to make detection difficult and carry out their operations under the radar for longer periods of time. By incorporating CAPTCHA, these actors are able to create a sense of legitimacy, as many websites nowadays include these prompts for verification purposes. At the same time, such tooling prevents automated solutions from examining the contents of the phishing page and flagging it as malicious. To address the latest phishing campaign, ANY.RUN introduced several measures including tagging documents as “possible-phishing” to alert end users. In particular ANY.RUN has introduced a new tag called “sharepoint” to help identify these SharePoint-tailored phishing attacks. The company has also incorporated a notification for users in sandbox sessions: “Be cautious! Do not enter your credentials”

Suggested Corrections:
To protect against these sophisticated phishing attacks, users should:

• Verify Email Sources: Be cautious of unexpected emails, especially those requesting sensitive information or containing links to SharePoint documents.
• Check URLs: Always verify the URL before entering credentials, ensuring it matches the expected domain.
• Enable Security Features: Utilize advanced email security solutions and enable features like multi-factor authentication (MFA) to add an extra layer of protection.