“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”
“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”
Request a Call-back.
First we need a few details.
Keep up to date with the experts
Get insights direct to your email inbox
Follow us on social
“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”
Request a Call
First we need a few details.
In recent weeks, OneNote supply chain phishing campaigns have been creeping up time and time again and no doubt you’ve already seen your fair share of these articles by now. Unfortunately, I don’t think these styles of attacks will be going away any time soon as threat actors are continuing to adapt and evolve their tactics each week to try and evade detection rules being placed by fellow Defenders.
Nonetheless, I wanted to create this article to raise awareness to some method’s we’ve observed in the wild as recently as within the last 24 hours. (TLDR Version of this article is in progress).
[Edit: — Note, these methods are not as new as I first imagined, conversations with other researchers and threat intelligence specialists revealed these methods have been used since at least 2019. Nonetheless, they haven’t changed therefore it is still important to know how to identify these attacks.]
Previously, the main methods of operation used by these “phishermen” was to send an email containing OneNote (.one) documents weaponised with embedded URLs to credential harvesters, or in some extreme cases, contained malware which would execute upon interaction. This became a simple fix for most people, adding a rule to block inbound emails containing a .one attachment seemed to be an easy enough solution… or so we thought.
In this article I will be covering:
In the early days of these OneNote supply chain phishing attacks being seen, it was noted that the attackers would often send OneNote files from random spam phishing email addresses which most end users would be able to pick up on and flag as phishing or spam. Or alternatively, the emails would just be blocked for containing a OneNote attachment (providing rules were in place).
However, in recent campaigns seen within the last two weeks, it has been noted that threat actors have adapted their methods so that instead of needing to send a OneNote document to a victim, they can just send them to a OneNote document hosted in a public facing SharePoint which will in turn, bypass these rules to block emails containing OneNote attachments as well as any email filtering solutions as the URL will be to a legitimate SharePoint URL. Very unlikely to be blocked within an organisation.
This is where things get interesting…
The Threat Actor will compromise a business email account. In this example, Example Corp CFO, Joe Bloggs (joe.bloggs@examplecorp.com) has been compromised.
Using Joe’s account, the attacker will now create a malicious OneNote document in his personal sharepoint which will be used to redirect the victim to a phishing domain that was most likely used to initially compromise Joe’s account.
The attacker will now use this compromised email to send a series of other malicious emails targeting partner companies of Example Corp. These emails will contain a URL leading to the new SharePoint hosted OneNote file. The subject of a lot of these emails will be in the format of — ‘Joe Bloggs shared “< Random Document Name Here>” with you.’
The victim at the targeted partner organisation recieves this email from Joe Bloggs. This is where the abuse of trust comes into play. Since Example Corp are partners of theirs, and the victim knows that Joe is the CFO at Example Corp, this must be legitimate right?
Real world example of the phishing email sent from a compromised business email.
Similar real world example using the same style of email but this one is pretending to use an Excel doc instead of OneNote.
The URL received by the victim will be to SharePoint, not many people will suspect a real sharepoint link to be malicious as this is used by most organisations today allowing users to collaborate effortlessly. This URL is what takes the victim to the OneNote file hosted in Joe Blogg’s personal sharepoint. Again, because the email is from a legitimate source and did not contain a OneNote attachment it will bypass any current rules to block emails containing attachments with a .one extension. Additionally, because the domain used to host the file is SharePoint, this will likely not be within any block lists at any organisation meaning these emails will slip right through the net in most cases.
Upon clicking REVIEW DOCUMENT HERE — the victim is now forwarded to the Credential Harvester… This page is actually hidden behind a CloudFlare CAPTCHA page meaning that any static sandbox detection tools will NOT be able to see the harvester behind the CAPTCHA challenge. This is why Dynamic Analysis is so important for Defenders.
CloudFlare Captcha
MS Credential Harvester. Notice the .RU domain
Here I wanted to test to see what the input fields look for, you will find that the complexity of these credential harvesters can vary massively. For example:
In this case, I used the fake email of Hello@mate.lol accompanied by a fat password containing a ‘polite message’ for the actor to read later. Both of which were actually accepted and I was forwarded to the official Microsoft Office domain of www.office.com — It is worth noting that when I went back to try and use this same credential pair I was told the email was invalid indicating you can only submit one email once?
Credential harvester accepting my fake email and polite message of a password.
Details being “Successfully Confirmed!”
Redirect to Office.com
Failing to accept hello@mate.lol the second time around. Probably didn’t appreciate my friendly message.
As you can see from the world class piece of art I put together above, this attack can scale up massively in no time. Once one organisation is compromised, it is possible for a further handful of organisations to be targeted, compromised and utilised to continue the campaign. Scary right?
As of right now, we are currently working on detection rules for this new method of attack therefore I will be updating this article with any rules we create in due course. If anybody has any suggestions or already has rules for this type of attack, please reach out, I’d love to collaborate.
The main take aways from this campaign are:
If you have any questions, feedback or want to share information related to the details discussed in this article, please feel free to reach out on to Joe on LinkedIn.
Happy Hunting!
Want to know more about cyber security user awareness training? Get in touch today and learn how to keep your organisation secure.
