Microsoft SharePoint/Google Drive folders as an Evasion Technique
Aug. 2, 2024
What you'll learn in this notification
Mimecast Threat Research has identified threat actors are using SharePoint and Google Drive to share files containing links to malicious sites.
- Predominantly utilizes compromised Microsoft 365 accounts.
- Observed phishing pages have indicators related to ‘NakedPages’ phish kits.
- Slow increase since early March, large spike in April continued into May.
Mimecast Threat Research has observed threat actors utilizing SharePoint and Google Drive to share files containing links to malicious sites. The lure is predominantly a bid invitation with the goal of obtaining credentials through a hosted phish kit.
An example from this campaign can be seen below, which utilizes a compromised O365 account. In most cases domains are utilized from specific industries related to the target increasing the likelihood for the end user to interact with the email.
The email contains a ‘Click here to view the project’ link used to gain further information on the bid. Upon clicking the link users are redirected to a SharePoint folder page containing a file, which is unusual as its normally the ‘files’ themselves making this unique.
The reasoning behind the additional layer of obfuscation is for the evasion from security solutions. In addition, the lure can be seen to be more legitimate with multiple files in the folder, or to help the threat actor manage campaigns where they can use folders without sharing a direct file.
In this campaign example, a folder has been established on the SharePoint page connected to a genuine company, with the purported owner of the file being associated with the same organization. Once inside the folder there is a requirement for a user to interact with the page to access the file.
Upon clicking the file, a blurred PDF appears prompting the user to access a link to login to their Microsoft account to gain access to the file.
The phishing pages have similar URL structure hxxps://[NAME].[store/online/site]/?[8 characters] which has been observed with phishing pages purchased on ‘NakedPages’. In some of the campaigns there is an addition of captcha pages to add to the number of user interactions needed to reach the final phishing page – sometimes up to 7. This has become a very common technique used by threat actors to evade detection.
This type of technique is not limited to Microsoft services only, here’s an example of one using Google Drive with very similar layout and final credential harvesting page:
While investigating the Google Drive example, an error page was presented which provides a bit more detail of the campaign where a licensing failure is observed presumably from ‘NakedPages’.
Additional information on the page refers to nkp.relay-proxy-i2p.com. I2P which is a privacy-focused network layer for anonymous communication. It suggests that the phishing page was trying to connect to an I2P relay or proxy, likely to exfiltrate data or communicate anonymously.
Further investigation uncovers that nkp.relay-proxy-i2p.com has only recently been active and resolved to FlokiNET. FlokiNET is a web hosting provider known for offering services with a strong emphasis on privacy and freedom of speech, often used by activists and journalists, but threat actors also make good use of these services. Mimecast has observed a recent shift in hosting indicating that threat actors are rotating their infrastructure more to avoid detection and takedown efforts.
The name servers for nkp.relay-proxy-i2p.com are Njalla, which provide another interesting point. Njalla which is a domain registration service that emphasises privacy and anonymity protecting the identity of domain owners. It does this by acting as a middleman between the registrar and the domain owner registering the domain on your behalf, keeping personal information hidden.
Targets
Global, all industries
IOCs
Credential harvesting sites
- hxxps://esthereiahdhd.store/?ubzveppo
- hxxps://noticebidproject.online/?xptjjunz
- hxxps://ncosulteng.store/?lzbcqrww
- hxxps://elbenchaesn.store/?oyhbewrx
Subject lines (multiple variations exist)
- INVITATION TO BID: Northwest Line Builders LLC . . .-- Project No.21-1161L 1912
- INVITATION TO BID: CONSTRUCTION TESTING SERVICES, LLC . . .-- Project No. 21-1161L 1912
- Invitation to Bid: Project No. 21-1161L: Infrastructure Water Plant Gas Solutions
- INVITATION TO BID: Balcones Resources Inc . . .-- Project No.21-1161L 1912