Campaigns
Invoice to Identity How a OneDrive Phishing Campaign Tricked C Level Executives

Invoice to Identity How a OneDrive Phishing Campaign Tricked C Level Executives

OneDrivePhishingMicrosoftPhishingCLevelTargeting
This phishing campaign poses as OneDrive document shares with subjects like “Salary amendment.” The emails trick executives into clicking an “Open” button, which leads to a fake Microsoft login page that steals their credentials.

Indicators of Compromise

jointcomet.com
docphaser.com
interactdocs.com
sharedserve.com
sharedsheet.com
blenddocs.com
docutransit.com
docstackk.com
syncdocnotify.com
levitateo.com
letzdoc.com
sharinfile.com
sparfile.com
candiddocs.com
seamlessshare.com
bluedotshare.com
filealertsphere.com
sidedocuments.com
colabwithme.com
squadsdocs.com
karrofile.com
signifile.com
baccatelo.com
filersharing.com
documentreplublic.com
bizchrod.com
quotadocu.com
docutug.com
hr-fildoc.com
foliodocs.com
ventordocs.com
docsinsertio.com
suprshare.com
casualdocs.com
spdocsync.com
seenfile.com
fileagenda.com
pingarchive.com
notifydocshub.com
documentmagnet.com
unfolddocs.com
collabeam.com
doculibr.com
vivedocs.com
filecomrade.com
mergepads.com
shareinsync.com
grouperdocs.com
filershare.com
onpointcollab.com
documentsforall.com
stratusedit.com
pipelinedocs.com
paneldocument.com
mysharedfiling.com
outzanycy.com
docleash.com
takshare.com
huddledoc.com
documentpocket.com
wesharedocs.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

T1566.001 Spearphishing Attachment
ID Data Source Data Component Detects
DS0015 Application Log Application Log Content Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.
DS0022 File File Creation Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
DS0029 Network Traffic Network Traffic Content Monitor for clicks on phishing links leading to credential harvesting, traffic to newly registered or suspicious domains, hidden redirect chains embedded in phishing emails, or downloads of secondary payloads from phishing domains.

T1566.002 Phishing: Spearphishing Link
ID Data Source Data Component Detects
DS0015 Application Log Application Log Content Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can help detect links leading to known malicious sites.
DS0022 File File Creation Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure).

T1204 User Execution: Malicious Link
ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Content Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure).

Observed Countries8

AU (649)
DE (334)
FR (718)
GB (684)
IN (564)
NL (386)
SG (738)
US (661)