Cybersecurity

Sophos: Cybercriminals exploit SharePoint, OneNote to obtain user password

Cybersecurity solutions firm Sophos found cybercriminals are using cloud-based collaborative platforms SharePoint and OneNote to luring people into logging in with their passwords in a malicious link.

The COVID-19 pandemic has forced people to work remotely and organizations use collaborative apps in order to perform their jobs and ensure seamless business operations. Criminals found this vulnerability and have been exploiting it to obtain the passwords of unsuspecting victims.

Microsoft OneNote is a note-taking program for free-form information gathering and multi-user collaboration. SharePoint, on the other hand, is a web-based collaborative platform that integrates with Microsoft Office.


Sophos finds fleeceware apps ‘still exist’ in Google’s Play Store

Sophos shares five signs of ransomware attacks


Like most phishing scams, cybercriminals would send emails with an attachment from a sender “whose email account had evidently been hacked.” The attachment will then lead the victims to a login form wherein they would be required to input their login credentials.

Given this new phishing scam, Paul Ducklin, Principal Research Scientist at Sophos, has provided some tips to help users and companies stay secure:

  • Don’t click login links that you reach from an email. That’s an extension to our usual advice never to click login links that appear directly in emails. Don’t let the crooks distract you by leading you away from your email client first to make their phishing page feel more believable when you get there. If you started from an email, stop if you hit a password demand. Find your own way to the site or service you’re supposed to use.
  • Keep your eyes open for obvious giveaways. As we’ve said many times before, the only thing worse than being scammed is being scammed and then realizing that the signs were there all along. Crooks don’t always make obvious mistakes, but if they do, make sure you don’t miss them.
  • If you think you put in a password where you shouldn’t, change it as soon as you can. Find your own way to the official site of the service concerned, and log in directly. The sooner you fix your mistake, the less chance the crooks have of getting there first.
  • Use 2FA (two-factor authentication) whenever you can. Accounts that are protected by two-factor authentication are harder for crooks to take over because they can’t just harvest your password and use it on its own later. They need to trick you into revealing your 2FA code at the very moment that they’re phishing you.
  • Consider phishing simulators like Sophos Phish Threat. If you are part of the IT security team, Phish Threat gives you a safe way to expose your staff to phishing-like attacks, so they can learn their lessons when it’s you at the other end, not the crooks.