OneDrive & SharePoint Phishing

The NJCCIC has detected an increase in phishing attempts using Microsoft OneDrive. Attackers attempt to steal a victim’s account credentials using a spoofed OneDrive login page. In the attack, the actor crafts a fake OneDrive login page and embeds the URL for this page in a phishing email. When the user enters their credentials in the fraudulent login page, they may be sent to an external site controlled by the attacker, saved in a text file on the same server for later retrieval, or emailed to an attacker-controlled email address. The user is frequently redirected to the real OneDrive login page. To the victim, it will simply appear that their login failed to process, and they will attempt to log in again. 

A new social engineering tactic observed is that the threat actor, masquerading as a Microsoft employee, may call the victim while they are retrieving their multi-factor authentication (MFA), and ask to verify the authentication code. It is important to note that Microsoft will never call you to verify this code. MFA is still a highly effective protective measure and should still be utilized. The limiting factor is the person being influenced by social engineering.

If the victim’s credentials are captured, the threat actor is then able to take control of the victim’s Office 365 account. The attacker then sends hundreds of emails within a very short time from the victim’s compromised email, targeting specific recipients within the organization that would know the sender in some way. They can potentially move laterally within the system and possibly corrupt files on SharePoint or OneDrive. This allows the threat actor to bypass security controls and antivirus software. 

Recommendations

The NJCCIC highly recommends users avoid clicking on any links contained in a suspicious email. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. Refrain from responding to the email, as the threat actor may have access. Email auto-forwarding should be turned off.  Ensure sent and received emails are not forwarding to someone else or being moved to the “deleted” box by checking manage rules. If the user’s account has been compromised, we suggest changing credentials for all accounts and linked accounts immediately; any tokens should be force-expired.

Reporting

The NJCCIC encourages users who believe their account may have been compromised to send a screen shot of the suspicious email to spamreport@cyber.nj.gov. Notify user’s agency ISO, Email Admin, or Helpdesk; they will assist you in remediating the issue. Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions. 

AlertNJCCIC