In a recent Tweet, Microsoft uncovered a “sneakier than usual” active phishing campaign used to target unsuspecting SharePoint users, in particular in remote-work environments. This technique employed what the software company calls a “crafty” combination of spoofed sender email addresses and display names that “mimic legitimate services” to “slip through email filters.”
The original sender’s address includes a variation of the word “referral” and has been spotted with several “top-level” domains. Emails use SharePoint to lure in the display name and appear as if a file-share request for purported “Staff Reports,” “Bonuses,” “Pricebooks” and other content with links to a malformed HTTP header. A second URL within the notification settings, it was noted, also leads to a compromised SharePoint site. Sign-in credentials are required to access both links.
Microsoft noted that the campaign has been successfully detected and blocked by Defender for Office 365.