Connect with us

Hi, what are you looking for?

HEADLINES

Phishing scam uses Sharepoint and One Note to go after passwords

Instead of simply spamming out a clickable link to as many people as possible, cybercriminals would use more labyrinthine techniques.

Sophos reported new phishing scams through cloud-based platforms. This involves the use of SharePoint and OneNote to go after passwords. Instead of simply spamming out a clickable link to as many people as possible, cybercriminals would use more labyrinthine techniques. 

First, crooks would send an innocent-looking email with an attachment from a sender, whose email account had evidently been hacked. The attachment takes the victim to a message with a Sharepoint link to access a One Note file that leads to a login form. If the victim puts in a password, it goes straight to the crooks.

Given this new phishing scam, Paul Ducklin, Principal Research Scientist at Sophos, has provided some tips to help users and companies stay secure:

  • Don’t click login links that you reach from an email. That’s an extension to our usual advice never to click login links that appear directly in emails. Don’t let the crooks distract you by leading you away from your email client first to make their phishing page feel more believable when you get there. If you started from an email, stop if you hit a password demand. Find your own way to the site or service you’re supposed to use.
  • Keep your eyes open for obvious giveaways. As we’ve said many times before, the only thing worse than being scammed is being scammed and then realizing that the signs were there all along. Crooks don’t always make obvious mistakes, but if they do, make sure you don’t miss them.
  • If you think you put in a password where you shouldn’t, change it as soon as you can. Find your own way to the official site of the service concerned, and log in directly. The sooner you fix your mistake, the less chance the crooks have of getting there first.
  • Use 2FA whenever you can. Accounts that are protected by two-factor authentication are harder for crooks to take over because they can’t just harvest your password and use it on its own later. They need to trick you into revealing your 2FA code at the very moment that they’re phishing you.
  • Consider phishing simulators like Sophos Phish Threat. If you are part of the IT security team, Phish Threat gives you a safe way to expose your staff to phishing-like attacks, so they can learn their lessons when it’s you at the other end, not the crooks.
Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

Organizations must implement a risk assessment methodology that is aligned with their operational realities – by establishing a clear asset baseline, organizations can engage...

APPS

Experts suggest that the goal of the attackers is to steal cryptocurrency assets from residents of Southeast Asia and China. Users in the Philippines...

White Papers

Nearly 50% of companies paid the ransom to get their data back – the second highest rate of ransom payment for ransom demands in...

GAMING

To help players stay safe, Kaspersky is launching “Case 404” — an interactive cybersecurity game that teaches Gen Z how to recognize threats and protect their...

HEADLINES

A zero-trust secure connection has many applications beyond automotive. It’s really for any industry that cares about security, and managing that security at scale.

HEADLINES

Organisations across the Asia-Pacific and Japan region are putting their security posture first, and many are now detecting intrusions early in the attack lifecycle,...

HEADLINES

Agentic AI Assistants—such as Apple Siri, Google Gemini, Microsoft Copilot, OpenAI ChatGPT, and others—are increasingly available to mobile users in consumer and enterprise environments. However, the same...

HEADLINES

Based on breach-tracking research conducted for over two decades, over 124 million Filipino user accounts have been compromised since 2004. This puts the Philippines...

Advertisement