File sharing phishing campaign in NZ

CERT NZ are warning of a file sharing phishing campaign in NZ. Compromised accounts are being used to send phishing messages from trusted or known contacts.

The phishing messages will appear to be a Microsoft OneDrive or SharePoint file sharing invitation from someone you know, inviting you to access a shared file.

The message links to a malicious lookalike Microsoft login page, allowing the cybercriminals to steal your Microsoft username and password. The stolen credentials will then be used to access your account, allowing the cybercriminals to cyberattack you, and your business or organisation if it is a work account.

How do I protect myself?

Trust no-one

Don’t assume a sharing request is safe just because it is from someone you know. This campaign is using compromised genuine accounts.

Check links carefully

Always check message links before clicking them, to make sure they go where you expect. Most browsers will show this if you hover your mouse over the link. Microsoft logins should go to “login.microsoftonline.com” or “login.live.com”.

Check carefully! Cybercriminals will often use lookalike website addresses, making small and often subtle changes, to give their login page a similar, or at least plausible, address. If the address is not exactly right, it is probably malicious.

Test yourself

Without clicking on them, which is the genuine Microsoft Live login address?

login-live.com
login.1ive.com
live.microsoft-login.nz

Give yourself a credit if you said the second one was the real address, because you realised it was the only one which had the fully correct address layout.

However, you also need to give yourself a debit, because it too is fake: the first letter of "live" is actually a number one. Hovering over it to see your browser's link hint makes it more obvious. Give yourself an even bigger debit if you did hover over that link and still didn't notice the number.

You get the biggest credit if you realised none of them are genuine.

What if I click the link?

If you do click a link, do the same check on the browser’s address bar for the page you end up on. There are ways of making a link go somewhere other than the advertised destination, and some lookalike characters become much more obvious. However, clicking a malicious link opens you up to other forms of cyberattacks, and should be avoided if possible.

Don’t be fooled because the login page looks real

Malicious credential theft pages will often look identical, or at least plausibly similar, to the genuine thing. Any differences to the page you normally see should ring alarm bells.

Don’t authorise unrecognised Multi-Factor Authentication (MFA) requests

If you use MFA (and you definitely should be) only authenticate logins you know you initiated.

Be especially wary of continual streams of authentication requests. This is almost certainly cybercriminals trying to login to your account, and hoping you will get frustrated with the continual alerts and authenticate one to make them stop. This is known as an “MFA Fatigue Attack” or “MFA Bombing”.

If you don’t understand what MFA is, or how it works, you can read our article on it here.

What should I do if I responded to a file sharing email recently?

Don’t panic

Just because you did respond to a file sharing request does not mean you have a problem. It may have been genuine.

Contact the sender

Contact the sharing request’s sender to see if they actually tried to share a file with you. Don’t do this by email: if their account was compromised, the cybercriminals could have set up email rules to hide such queries.

If they say they did send share a file with you, you can relax.

If they say they didn’t share a file with you…

For a business account…

Your organisation should have a cyberattack response plan to follow. Activate it now. The plan should detail who to contact and what actions need to be followed.

If there isn’t a plan in place, you should seriously consider contacting a cyber resilience expert in the near future to get one created. Outfox can do this for you (contact us here).

For a personal account, or if there isn’t a cyberattack response plan…

NB: we recommend you contact a cybersecurity expert if you are unsure about how to do any of the following steps.

Check links

If you still have the email, double check the links in it. If you don’t have it, check your browser’s history to see what pages you went to.

Check for unfamiliar logins

Check log files for logins or login attempts from unfamiliar devices or locations.

Check your email rules

Check your email rules for new or unfamiliar rules. The rules might be deleting, moving, marking messages as read, or forwarding messages.

If it looks like you were compromised…

Alert whoever needs to know

If your account is an organisation one, alert whoever needs to know about the possibility that you have might have fallen prey to a phishing attack. Do not keep it secret, or try to resolve it yourself. Time is of the essence when it comes to cyberattacks. The longer you wait, the longer the cybercriminals have to deepen their attack on you, and use your account to spread their attack to your fellow workers and organisation’s systems.

You could alert your manager, your IT person or department, and/or your IT provider.

Revoke all sessions

You should revoke all current sessions on your account. This will deactivate any sessions the cybercriminals might have active.

Remove trusted devices

Remove all trusted devices linked to your account. You could try to only remove unrecognised devices, but it is safer to remove all, then re-add your devices. This will stop the cybercriminals from regaining access via trusted devices they might have added to your account. You can re-add your trusted devices later.

Remove Multi-Factor Authentication (MFA/2FA) devices

Remove all MFA devices from your account. Check even if you don’t use MFA. This will stop the cybercriminals from regaining access via MFA devices they might have added to your account.

Change your password

You can now change your password. If you do it before doing the previous steps, you run the risk of alerting the cybercriminals that you are attempting to lock them out, which could prompt them to escalate the situation.

Make sure the new password is unique, and is long and strong. Either use a passphrase (by running together words, e.g. “correcthorsebatterystaple”) or use a password manager to create a long password of random letters and symbols.

If you used the same password anywhere else, it needs to be changed there as well (and make it unique this time). Note that re-using passwords is a very unsecure practice, as cybercriminals will attempt to re-use any stolen credentials in other systems such as social media, streaming services, online banking, etc, in an attack known as “credential stuffing”, just to catch out people who re-use passwords.

Re-add your Multi-Factor Authentication (MFA/2FA) devices

MFA is one of the strongest things you can do to secure your account. You should always use it if it is available. Again, if you don’t understand what MFA is, or how it works, you can read our article on it here.

Report the attack to CERT NZ (optional but recommended)

You can report attacks to CERT NZ via their reporting form.

Contact us