Phishers Disguise Attacks Inside SharePoint to Wreak Havoc

Hackers are getting creative, and their latest trick involves using Microsoft SharePoint-a tool many businesses rely on-to spread dangerous attacks. By disguising their phishing scams as legitimate SharePoint documents, they can sneak past security measures and put both individuals and companies at risk.

In the first step, malicious actors upload a harmful document to a SharePoint site, disguising it as a legitimate file. This document contains obfuscated scripts designed to execute harmful commands on the victim's computer. The unsuspecting user receives an email that appears completely legitimate, notifying them of a newly shared document on SharePoint. Since the email originates from the trusted SharePoint domain, it often evades traditional email security filters, which typically flag suspicious communications. Reassured by the email's authenticity, the user opens the document. Hidden within its content are scripts that, upon execution, trigger a PowerShell command to download and install the stealthy malicious framework. Once the malware is installed, the attackers gain complete control over the victim's machine. This access allows them to stealthily steal sensitive data, deploy additional layers of malware, or even navigate laterally through the victim's network, potentially compromising other connected systems.

Takeaways:

• Exercise Caution with Shared Documents: Cybercriminals continue abusing legitimate services in their attacks. Always verify the authenticity of unexpected SharePoint notifications, especially if you weren't anticipating any shared documents
• Disable Macros and Scripting: Configure your systems to disable macros and scripting by default. Only enable them for trusted documents from verified sources
• Keep Systems Updated: Regularly update your operating system and software applications to patch known vulnerabilities that attackers might exploit
• Implement Advanced Threat Protection: Next-generation antivirus programs and modern Endpoint Detection and Response (EDR) tools help protect against malicious script execution and abuse of tools built into the Operating System

#ALTACyber

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------

Genady:  
I can't wait to meet you at ALTA and hear your presentation! I'm really looking forward to it. Thank you, as always, for the valuable research and information you provide to help keep us safe in this constantly evolving world.

------------------------------
Mary Enzi CAA
Tax Solutions – FIRPTA Consulting
[email protected]
+1 (281) 578-1040
Katy TX
------------------------------

Original Message:
Sent: 03-14-2025 09:28
From: Genady Vishnevetsky
Subject: Security BUZZ - Malicous Attack with "Havoc frameworks"

Phishers Disguise Attacks Inside SharePoint to Wreak Havoc

Hackers are getting creative, and their latest trick involves using Microsoft SharePoint-a tool many businesses rely on-to spread dangerous attacks. By disguising their phishing scams as legitimate SharePoint documents, they can sneak past security measures and put both individuals and companies at risk.

In the first step, malicious actors upload a harmful document to a SharePoint site, disguising it as a legitimate file. This document contains obfuscated scripts designed to execute harmful commands on the victim's computer. The unsuspecting user receives an email that appears completely legitimate, notifying them of a newly shared document on SharePoint. Since the email originates from the trusted SharePoint domain, it often evades traditional email security filters, which typically flag suspicious communications. Reassured by the email's authenticity, the user opens the document. Hidden within its content are scripts that, upon execution, trigger a PowerShell command to download and install the stealthy malicious framework. Once the malware is installed, the attackers gain complete control over the victim's machine. This access allows them to stealthily steal sensitive data, deploy additional layers of malware, or even navigate laterally through the victim's network, potentially compromising other connected systems.

Takeaways:

• Exercise Caution with Shared Documents: Cybercriminals continue abusing legitimate services in their attacks. Always verify the authenticity of unexpected SharePoint notifications, especially if you weren't anticipating any shared documents
• Disable Macros and Scripting: Configure your systems to disable macros and scripting by default. Only enable them for trusted documents from verified sources
• Keep Systems Updated: Regularly update your operating system and software applications to patch known vulnerabilities that attackers might exploit
• Implement Advanced Threat Protection: Next-generation antivirus programs and modern Endpoint Detection and Response (EDR) tools help protect against malicious script execution and abuse of tools built into the Operating System

#ALTACyber

------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------