Microsoft researchers discovered that the hackers are using spoofed sender addresses through the usual security protections to fool the people on credential harvesting attacks.
The companies security intelligence team has taken up to twitter to post about this campaign details which uses O365 with file sharing feature of SharePoint.
An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters.— Microsoft Security Intelligence (@MsftSecIntel) July 30, 2021
The emails use a SharePoint lure in the display name as well as in the message, which poses as a "file share" request for supposed "Staff Reports", "Bonuses", "Pricebooks", and other content, with a link that navigates to the phishing page. pic.twitter.com/c33awiAeH4— Microsoft Security Intelligence (@MsftSecIntel) July 30, 2021
The email entices the victims by disguising as the file-share request from colleague which includes a phishing link which redirects them to Office 365 that requires them to sign in using victim’s legitimate credentials.
“The emails contain two URLs that have malformed HTTP headers. The primary phishing URL is a Google storage resource that points to an AppSpot domain that requires the user to sign in before finally serving another Google User Content domain with an Office 365 phishing page,“.
“The second URL is embedded in the notifications settings links the victim to a compromised SharePoint site. Both URLs require sign-in to get to the final page, allowing the attack to bypass sandboxes. ” stated by Microsoft.