Deceptively genuine emails via the Microsoft SharePoint platform are currently causing a new wave of phishing. The Federal Office for Cyber Security warns: The attacks are technically sophisticated and can even bypass two-factor authentication.

The scam uses genuine Microsoft pages and works in real time, which means that two-factor authentication can also be bypassed.

The Confederation advises particular caution with unexpected file shares and warns against entering access data via e-mail links. Show more

In recent weeks, the Federal Office for Cybersecurity (BACS) has received several reports of suspicious emails. These claim that a known person has shared a document via the Microsoft SharePoint platform. The link it contains actually leads to the real SharePoint page - a fact that makes the fraud particularly difficult to detect.

As the BACS writes in its latest weekly review, phishing emails are now much more professionally designed. Modern translation tools prevent noticeable language errors, and sender addresses are also easy to forge. Often, only the link itself remains as a possible indication of an attack - and it is precisely this that is now being manipulated in a targeted manner.

How the new scam works

The attack begins with an automated SharePoint invitation. If the victim clicks on the link, a legitimate Microsoft login page opens. The e-mail address is entered there, after which the affected person actually receives a one-time code from Microsoft.

Only in the next step does the actual fraud take place: Within SharePoint there is another link to an alleged PDF document. When it is opened, a login is requested again - but this time on a manipulated page. This is what is known as real-time phishing: the access data entered and the second authentication factor are tapped in real time and misused immediately.

Targeted attacks on companies

According to BACS, many of these phishing attempts are targeted at companies. The attackers use publicly available information from company websites, previously compromised Microsoft accounts or send the invitations indiscriminately.

In one case reported to the BACS, there was no recognizable relationship between sender and recipient.