[BreachExchange] Phishing attack targets DocuSign and SharePoint users
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Tue Jul 6 15:45:35 EDT 2021
https://www.scmagazine.com/home/security-news/phishing-attack-targets-docusign-and-sharepoint-users/
Researchers reported on Friday that cybercriminals are mimicking legitimate
correspondence to actively target popular cloud applications DocuSign and
SharePoint in phishing attacks designed to steal user log-in credentials.
In a blog by the Bitdefender Antispam Lab, the researchers said most of the
emails use COVID-19 as a way to dupe users into clicking on a bogus
document. For example, the email will ask the user to review a “Covid 19
relief fund as approved by the board of directors.”
The Bitdefender team said the phishing attack was spotted on June 24 and
appears to have originated from the United States. The researchers said 33%
of the fake emails reached users in the United States; 26% in Ireland; 14%
in Korea; 12% in Sweden; 5% in Denmark; and 1% in Finland, the U.K., and
India.
While there are no foolproof controls, A.J. King, chief information
security officer at BreachQuest, said tops on the list for preventing these
attacks include secure email gateways, multi-factor authentication and
domain-based message authentication, reporting and conformance (DMARC).
King added that all those controls will fail from time to time, so security
teams need to invest in security awareness training so users can quickly
recognize the signs of a phish. He also said companies should install a
“Report Phish” button into the company’s email client so users can easily
report a questionable email. Security teams can integrate the “button” with
the company’s secure email gateway solution so it can do sandbox analysis
of the email, automated blocking and removal from the rest of the
environment if determined malicious, and notification to the corporate
security team.
“Companies should also have a security operations team, properly equipped
to monitor logs for alerts around impossible geographical travel, log-ins
from a new location, or suspicious user activity,” King said. “They can
quickly take emergency action to revoke compromised users credentials,
reset tokens, and look for signs of further compromise.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210706/2e9adf9f/attachment.html>
More information about the BreachExchange
mailing list