It might seem that someone you know is sharing a file stored on SharePoint. Swiss authorities have issued an alert about a global SharePoint phishing wave, tricking users into handing their credentials to cybercriminals.
The Swiss National Cybersecurity Centre (NCSC) warns that over the past few weeks, it has been receiving reports of malicious emails in the form of SharePoint notifications.
Microsoft SharePoint is a cloud-based platform, widely used by organizations for collaboration, storing, and sharing of documents and information.
“In this SharePoint phishing scam, you receive an invitation to a document that is supposedly stored on SharePoint. The invitation usually appears to come from someone you know and is automatically sent via Microsoft SharePoint,” NCSC said.
The link provided by cybercriminals actually does lead to the legitimate SharePoint platform, making the scam much harder to detect.
If users click the link, they’re asked to authenticate via SharePoint – a form opens prompting them to enter an email address, and a one-time password sent to that email address.
“The email does in fact come from Microsoft, or more specifically from SharePoint,” the NCSC said.
The actual scam begins when viewing the actual PDF document. It includes another link to the malicious credential harvesting site, which asks users to complete authentication for the second time, now by entering their email address and password.
If the users follow instructions and enter their credentials, cybercriminals can log in to their Microsoft accounts in real time, as well as steal the credentials.
“The prompt for the second authentication factor is also sent to the phishing page. You are asked to approve it there as well. This allows the scammers to bypass two-factor authentication,” the watchdog explained.
The forms, generated and translated using AI assistants, might be indistinguishable from the legitimate ones.
The link remains the only clue hinting at the potential attack.
“Modern AI-based translation tools help scammers avoid language errors, and the displayed sender address is no longer a reliable indicator because it can easily be spoofed,” the NCSC added.
This phishing campaign is highly targeted, and cybercriminals thoroughly research websites to identify employees, business relationships, partners, etc., to make the scam more convincing.
Compromised Microsoft accounts are also abused to carry out further phishing scams. Some of these fake SharePoint invitations are also sent at random.
“In one email sent directly to the NCSC, no connection could be identified: there had been no prior email contact with the company, and no relationship was apparent from its website,” the press release reads.
Microsoft itself recently warned about adversaries using this attack vector to target energy sector companies.
“Following the initial compromise, the attackers leveraged trusted internal identities from the target to conduct large‑scale intra‑organizational and external phishing, significantly expanding the scope of the campaign,” the tech giant said in the advisory.
Attackers often abuse legitimate services to obscure malicious intent.
The authorities warn against entering passwords, credit card details, and any other sensitive information on websites accessed via links, especially in unsolicited emails or text messages. Even if the email appears to come from a legitimate source, caution is advised – check with the sender using a different communication channel.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked