Original Release Date: 7/30/2020
The way organizations conduct business and how users access corporate networks, resources, and data have changed significantly with the dramatic increase in remote workforce this year, resulting in vulnerable people, processes, and technology. Organizations depend on secure and reputable business productivity suites, such as Microsoft Office 365, to work more effectively, particularly when in a remote environment. The widespread use and dependence on these services, however, makes them desirable targets of malicious cyber activity. During the first half of 2020, researchers discovered a 176 percent increase in new malware attacks disguised as trusted Microsoft Office file types.
Cyber-criminals continue to target Microsoft Office 365 users with convincing phishing campaigns, oftentimes in an attempt to steal login credentials. The NJCCIC has recently observed multiple attempts to deliver Microsoft SharePoint phishing emails to NJ State employees, consistent with open-source reporting. The emails are purportedly sent from within the target's organization, a claim reinforced by the sender’s display name and the repetitive inclusions of the target’s organization, and appear to be automated Microsoft SharePoint notifications that invite the recipient to open or view documents. The emails are brief, vague, and contain a link that, if clicked, directs the target through multiple redirects to a spoofed Microsoft SharePoint authentication webpage. If credentials are entered, they are sent to the cyber-criminals in the background , providing them with the opportunity, absent multi-factor authentication controls, to gain unauthorized access that allows them to launch internal attacks, steal additional credentials or data from the organization, and more. Other observed Microsoft SharePoint phishing campaigns inviting recipients to open or view files include themes of orders, payment confirmations, electronic funds transfer (EFT) enrollments, and voicemail messages.
In addition to social engineering tactics used in phishing campaigns, cyber-criminals attempt to exploit systems via vulnerabilities for which a patch is not available or a patch has not yet been applied. Microsoft released multiple security updates earlier this month addressing several vulnerabilities affecting their products and services, including SharePoint. Exploitation of some of the recently released vulnerabilities could allow a remote threat actor to execute code and gain control over an affected system.
Users can reduce the opportunities for threat actors to exploit these various vulnerabilities through cybersecurity best practices. The recent significant increase in remote workforce, combined with continuing cyber-attacks and data breaches, reinforce the importance of security awareness, business processes, secure accounts and data, and patching and properly-configuring systems.
The NJCCIC recommends organizations implement a defense-in-depth cybersecurity strategy and educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to exercise caution with links, attachments, and spoofed domains received from both unknown and trusted senders; navigate directly to authentic vendor websites; and keep applications up to date. If you are unsure of an email’s legitimacy, contact the sender via a separate means of communication. We also advise users and administrators to apply patches to affected products immediately after appropriate testing and keep systems up to date and properly configured. Please review the NJCCIC products Don’t Take the Bait! Phishing and Other Social Engineering Attacks and Tips for Teleworkers, Remote Access Security, and the Cybersecurity Best Practices webpage for additional recommendations.