Cybercriminals Are Stealing Passwords With New SharePoint and OneNote Scam

There is a new scam that is being distributed through email and it happens to be more elaborate than most. The new scam attempts to mimic SharePoint and OneNote - a couple of legitimate Microsoft applications to steam victims' passwords.

With the Covid-19 pandemic forcing an all-time high of people working from home and using tools that enable remote access and collaborative work, the number of cybercriminals attempting to phish and scam people using those tools is also growing. This latest attempt at a scam is also focused on exploiting collaborative tools and brand names - Microsoft's OneNote and SharePoint in particular.

The Scammers Attempt to Distract Victims

What sets this phishing scam apart from most is the effort taken and the roundabout way the cybercriminals went about getting their victims to unwittingly disclose their passwords. The emails used in the scam do not directly link to a fake login form where the user needs to enter credentials. Instead, users see a SharePoint link in the malicious email. Once they hit the SharePoint link, they are taken to a OneNote link that contains a fake PDF file. Clicking the "Review document" link under the attached PDF finally caused the fake login prompt to show up and victims are expected to provide their credentials.

The entire process of clicking through those links is accompanied by convincingly put together Office 365 imagery, in an attempt to lend more credibility to the scam and lower the victim's guard. The simple fact that the final phishing form is removed from the original malicious email by an extra couple of steps can also serve as a distraction and cause people to carelessly enter their password in the fake form.

What Can You Do to Minimize Risk?

Security experts recommend adhering to a few guidelines when dealing with any email that ends up in your inbox in order to minimize risk and stay as safe as possible.

  1. Never fill in any login forms that you land on through an email link, regardless of whether the email was sent by a stranger or a coworker.
  2. In case you actually fell for a phishing login prompt, make an effort to change your password on the legitimate service the scam mimics as quickly as you can.
  3. Always check if a service has two-factor authentication and make full use of the option where it's available.
  4. Examine every email you get closely for spelling and typos and minor details like off-color logos or strange sender email addresses. Those are usually signs of a fake or malicious email.

Businesses sometimes resort to running phishing simulations, running drills with phishing emails sent by the company to train employees and raise awareness of the issue, which can be a great way to learn how to deal with the real crooks in a safe environment.

September 16, 2020

Leave a Reply