A recent trend in phishing attacks has been to use the victims OneDrive account to upload malicious content to, and then send out emails to contacts the victim has exchanged emails with before, and to use the same subject line, but with the content replaced with an email design intended to spoof the kinds of links to files which are now common ways of exchanging information.
One example of an email like this is below, where this was the whole content of the email recieved by the target:
In this case, the email contains 2 links, the first (shown hovering over the “32 kb” part of the email is a link to a previous victim’s OneDrive, which is genuinely hosted on sharepoint.com. The main link is a new link which points to a new file uploaded to the compromised account’s OneDrive, which is a PDF. The contents of the PDF is as below:
The link in the PDF is to a faked Microsoft login page to capture the user credentials and ensnare another victim.
This particular attack used the credentials gathered to try to immediately access very sensitive services in Microsoft Office365/Azure along with Skype for business, Office 365 and Exchange. The compromise used these credentials to upload the malicious PDF to a new victim’s OneDrive, and used the email access to send out the next wave of phishing emails.
Other varients of a similar nature have used similarly simple looking emails containing only a link to malicious content hosted on SharePoint, which makes blocking the content more difficult.
It remains vital for users to be wary of ALL links in emails and the check their destination carefully, but this latest varient now also means the link may be entirely valid and to legitimate content hosted in the organisations own SharePoint instance after being uploaded to a compromised users OneDrive which makes it even more difficult for users to identify legitimate emails sharing content from phishing emails.
So far, we have not seen varients of this attack which accurately spoof the real microsoft format for sharing links via email, but users must not assume that content which looks like a legitimately shared link is trustworthy either as this seems only a matter of time.