A sophisticated phishing campaign exploiting fake Microsoft SharePoint notifications to distribute the Xloader malware.
This malicious operation, recently intercepted by Sublime Security, highlights the growing threat of cybercriminals leveraging legitimate platforms to bypass traditional defenses.
The attack begins with a deceptive email mimicking a legitimate SharePoint file-sharing notification. The email includes an “Open files” link, complete with authentic-looking Microsoft branding and logos.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
Upon clicking the link, victims are directed to a malicious .zip file hosted outside SharePoint. This file contains an executable disguised as a document, which ultimately delivers the Xloader malware.
Sublime’s detection systems flagged this email as malicious due to several indicators:
- Brand impersonation: The email used Microsoft’s logo and a fake SharePoint template.
- Suspicious links: The embedded URL is redirected to a non-SharePoint domain hosting a malicious file.
- Sender anomalies: The sender failed SPF (Sender Policy Framework) authentication, and the domain did not match legitimate Microsoft services.
- Credential theft tactics: The email language aimed to deceive users into divulging sensitive information.
Xloader: A Dangerous Payload
Xloader, a rebranded version of the Formbook malware, is an advanced information stealer targeting Windows and macOS systems.
It can harvest user credentials, record keystrokes, capture screenshots, and steal data from browsers and email clients.
Xloader employs obfuscation techniques and multiple layers of encryption to evade detection, making it particularly challenging for security tools to identify.
In this case, Sublime’s analysis revealed that the malware was delivered through a complex chain involving obfuscated code, AutoIT scripts, shellcode injections, and process hijacking.
Researchers identified strong links between this attack’s initial loader component and TrickGate, another known malware loader.
This campaign exemplifies attackers exploiting trusted platforms like SharePoint to disguise their malicious activities.
By leveraging legitimate services for phishing attacks, cybercriminals can bypass security filters and increase the likelihood of success.
Such tactics are part of a broader trend known as “living-off-trusted-sites” (LOTS), where attackers use familiar platforms to blend in with normal network traffic.
To mitigate risks from such attacks:
- Verify emails: Be cautious of unexpected file-sharing notifications, especially from unknown senders.
- Inspect links: Always check URLs for legitimacy before clicking.
- Enable multi-factor authentication (MFA): Add an extra layer of security to accounts.
- Educate employees: Conduct regular training on recognizing phishing attempts.
- Deploy robust security solutions: Use advanced email filtering and endpoint protection tools capable of detecting sophisticated threats.
As phishing campaigns grow more sophisticated, vigilance and proactive measures are essential to safeguard sensitive information and prevent breaches.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free