Careful inspecting any emails claiming to share an invoice via Microsoft SharePoint. MailGuard is currently intercepting a phishing attempt by cybercriminals purporting to share an invoice, designed to steal sensitive data, including Microsoft 365 login details, and potentially install malware on networks. With over 190 million users, across 200,000 businesses who use Microsoft SharePoint daily to share documents, there is a high likelihood unsuspecting users may fall prey to this scam.
The email appears to be sent from the ‘Accounts’ department of a drilling equipment business, as well as other compromised business email accounts, with the subject title: ‘Re: Revise Inv_90886611’. The body of the email includes the SharePoint and Microsoft logos, with an image of an Excel spreadsheet, alluding to a financial report that can only be accessed if the user signs into their SharePoint account through Microsoft Office 365. Contact details of the compromised business, in what appears to be imitation of their branding, are included in the email signature, to feign authenticity.
Here’s what the email looks like:
When a user clicks on the blue ‘Open’ button, they are taken to the page below, which is another shared document page, that appears to consist of two PDF documents. Details, such as the folder icon, ‘this link is safe’ alert, privacy statement and Microsoft logo are used to trick the victim into believing that they are accessing legitimate documents.
Clicking on the ‘Open’ link contained on this page, brings the user to the actual phishing page, which asks them to ‘SIGN-IN WITH YOUR OFFICE365 TO VIEW DOCUMENT’ against the backdrop of a blurred-out Microsoft Word page, falsely alluding to the document that is trying to be accessed. Once the users’ credentials are entered and submitted, the attacker harvests them for later criminal use and the victim is met with an error message saying “Invalid Password…! Please enter correct password”.
Users are reminded of the importance of not downloading or clicking on any links for documents from unknown or unfamiliar senders, despite appearing to be from a business or professional organisation. All attachments and/or links should only be accessed when users are certain about the credibility of the sender.
MailGuard urges all recipients of this email to delete it immediately without clicking on any links. Providing details such as your login email and password to your Microsoft Office 365 account means that cybercriminals can access details such as your email, calendars, contacts and sensitive company information that can be used to design BEC scams, for identity fraud, or sold on the dark web, plus other criminal activity.
MailGuard urges users not to click links or open attachments within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from, and/or
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
