By Jhon Revesencio, Cofense Phishing Defense Center
Phishing scams are evolving rapidly, and a recent campaign highlights just how inventive these attacks can be. The Cofense Phishing Defense Center (PDC) has spotted a phishing scheme that uses SharePoint links to lead unsuspecting employees to what looks like a legitimate Power BI report. The catch? These links are designed to steal users’ credentials, preying on those who trust their workplace tools.
It’s not uncommon for cybercriminals to exploit familiar platforms, and this campaign reveals a particularly clever approach. By embedding phishing links within trusted tools like SharePoint and Power BI, attackers rely on users' trust in these platforms to catch them off guard. This tactic not only increases the chances of success but also highlights the lengths to which threat actors will go to steal sensitive information. As phishing methods get more creative, it’s important for organizations to focus on regular training and education, helping employees learn how to spot and deal with potential threats.
Figure 1: Email Body
In Figure 1, the phishing email cleverly disguises itself as a legitimate SharePoint shared file titled "Payment Confirmation." Expertly crafted to give an impression of authenticity, the email incorporates familiar company branding and polished formatting that employees typically expect from legitimate messages.
The intention behind this email is to create urgency and curiosity. By framing it as an important payment confirmation, the attackers aim to entice the recipient to click on the link without hesitation. This approach exploits the instinct to respond quickly to what appears to be vital information regarding financial matters. The combination of a pressing request and the appearance of an official document makes the email particularly persuasive. This leads recipients to act impulsively and, ultimately, increases their vulnerability to credential theft or other malicious actions.
Figure 2: Power BI Page
The user clicks the "Open" button in the email and is redirected to a legitimate Power BI link, which initially creates a sense of security. The page appears authentic, showcasing the familiar Power BI interface that users recognize. This can be viewed in Figure 2. However, the key deception lies in the next step: users are prompted to click "Open Document," which is where the phishing link resides. This tactic cleverly leverages the trust associated with Power BI, making it easy for users to overlook potential red flags.
Users might find the document request unexpected, particularly if they weren't anticipating receiving a file in this manner. Additionally, the lack of standard security prompts, which users typically associate with secure document sharing, further indicates something is amiss.
Figure 3: Phishing Page
After clicking "Open Document," users are taken to a page that looks like a standard Microsoft login screen, as seen in Figure 3, a familiar landing page attackers use to trick people into entering their credentials. At first glance, it appears authentic, with the usual Microsoft branding and login prompts. However, there are subtle signs that something is amiss. The URL doesn’t match Microsoft’s official address, and the request to re-enter credentials for a shared document is unusual. These small details may be easy to overlook but are clear indicators that this page is a phishing attempt designed to capture login information.
This phishing campaign demonstrates the evolving tactics threat actors use to exploit trusted platforms like SharePoint and Power BI, tricking users into providing sensitive information. By leveraging familiar templates and redirecting to legitimate services, threat actors make it harder for automated defenses to detect these scams. With Cofense Managed Phishing Threat Detection and Response (MPDR), provided through our Phishing Defense Center (PDC), organizations gain an essential layer of protection, helping employees recognize and report suspicious emails. Our comprehensive, human-centric approach enables us to catch threats that automated systems often miss, ensuring your enterprise is protected from modern phishing attacks.
| Indicators of Compromise | IP |
|---|---|
| hxxps[://]emplast[.]it/pagine/ChangeLang[.]asp?Goback=hxxps[://]carbomer[.]com/users/?dw=5218 | 31[.]14[.]143[.]38 |
| hxxps[://]carbomer[.]com/users/?dw=5218 | 173[.]201[.]191[.]4 |
| hxxps[://]app[.]powerbi[.]com/view?r=eyJrIjoiODdmOGUzZGUtYTU4OS00 MDU0LWE3ODMtZGIxYjExMTU1OGU3IiwidCI6ImJkMWRiODMy LWYwY2QtNDRiNS04ZTNjLTYxMmNlY2NhMjQ4ZSJ9 | 20[.]41[.]4[.]104 |
| hxxps[://]login[.]connectportal[.]tech/common/oauth2/v2[.]0/authorize?client_id= | 104[.]26[.]10[.]78 |
All third-party trademarks referenced by Cofense, whether in logo form, name form, product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding the circumvention of end-point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog, are registered trademarks or trademarks of Cofense Inc.