The Pyramid of What?? The Pyramid of Pain is a conceptual model created by David Bianco in 2013...
Summary
RADICL recently observed a sophisticated phishing campaign designed to steal O365 login credentials. This campaign leverages legitimate but compromised O365 accounts to share PDF and OneNote documents with what appears to be that account’s address book via the compromised account’s SharePoint.
Because this campaign uses both a legitimate (but compromised) account to send and a legitimate (but compromised) SharePoint site, it has successfully bypassed O365’s built-in phishing protection. Additionally, to further thwart automated scanning, the share links use SharePoint’s secure sharing capability and require a Temporary One-Time Password (TOTP) to access the document. Finally, because the campaign likely sends these share links to the compromised account’s address book, there is already an implicit trust relationship between the victim and the compromised account, making it much more likely for the victim to click the link. See the below screenshots for a visual depiction of the attack.
Step 1: The Phishing Email
The phishing email will be a SharePoint share link from a compromised sender likely from an individual known to you or your organization (recall from the summary that the compromised user account likely sends this link to email addresses in their address book). Additionally, note that at the bottom of the screenshot, you will see that the open link points to a legitimate SharePoint website belonging to the organization of the compromised sender. Because this email comes from a legitimate source (and passes SPF, DKIM, and DMARC checks) and contains a legitimate link (legitimate company SharePoint) it will likely pass spam/phishing filters.
Figure 1 – Phishing Email Sample (redacted to protect customer privacy)
Step 2: The First Click
Upon clicking the email, the victim will be presented with a legitimate Microsoft TOTP page. This is a built-in feature for SharePoint secure sharing: the sharer specifies a single email address that can access a document, and when the sharer attempts to access that document, they must enter a TOTP code sent to their inbox. The phishing campaign likely employs this feature to both add legitimacy and thwart automated scanners. Again, note that the URL is the legitimate corporate SharePoint site.
Figure 2 – SharePoint Secure Share TOTP Page (redacted to protect customer privacy)
Step 3: Accessing The Document
Once the victim enters the TOTP code, they will be directed to the document. The document is hosted on a legitimate corporate SharePoint site. However, this is where the credential theft starts. The document directs the user to click a link to view it, which directs the user to a threat actor-controlled, fake O365 log-in page where credentials are stolen.
Figure 3 – SharePoint Shared Document (redacted to protect customer privacy)
Step 4: The Second Click and Credential Theft
Upon clicking the link, the user is directed to a fake O365 login portal. If the victim enters in their credentials they are sent to the phisher and the account is assumed compromised.
Figure 4 – Fake O365 Login Portal
Recommendations
RADICL highly recommend you warn your users NOT to click any documents shared via O365 unless they have confirmed their legitimacy with the sender. If one of your users WAS compromised, we recommend the following:
- Rotate the compromised account's credentials AND terminate all active sessions
- Review all document-sharing activity the comprised user instigated since the time of comprise and notify affected recipients that the account has been comprised. If the victim entered their credentials, they, too, are likely compromised.
