Full Report
Native phishing turns trusted tools into attack delivery systems. Varonis shows how attackers weaponize Microsoft 365 apps, like OneNote & OneDrive, to send convincing internal lures and how to spot them before they spread. [...]
Analysis Summary
# Tool/Technique: Native Phishing (Leveraging M365/OneNote)
## Overview
This technique involves attackers compromising an internal M365 user account and then spreading malicious content or links organization-wide by utilizing trusted, built-in collaboration features (such as Microsoft OneNote and OneDrive file sharing) rather than relying solely on external phishing emails. This tactic, termed "native phishing," leverages internal trust to bypass traditional email security measures and lower user suspicion.
## Technical Details
- Type: Technique (Phishing/Lateral Movement)
- Platform: Microsoft 365 (M365), OneDrive, OneNote
- Capabilities: Lateral spreading within an organization; Bypassing standard email gateway scanners; Exploiting user trust in internal communications.
- First Seen: Recent incidents highlighted in the article.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Used initially to gain the first foothold)
- T1566.002 - Spearphishing Link (Used in subsequent stages via shared file links)
- TA0008 - Lateral Movement
- T1078 - Valid Accounts
- T1078.004 - Cloud Accounts
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Using legitimate M365 communication channels)
## Functionality
### Core Capabilities
- **Internal Distribution:** Using a compromised M365 account to share links or files directly via OneDrive-hosted content.
- **Deceptive Notifications:** Triggering legitimate 'Folder shared link created' or 'Someone shared a file with you' emails directly from OneDrive/SharePoint, which are highly convincing.
- **Using OneNote as a Lure:** Embedding malicious URLs or files within Microsoft OneNote documents, which are often overlooked by security tools because OneNote does not support VBA macros, bypassing macro-related security checks like Protected View.
### Advanced Features
- **Trust Exploitation (Vibe-Scamming):** Blending default-trusted tools (M365 suite) with social engineering to create a seemingly legitimate attack path.
- **Phishing Chain Integration:** Using the initial internal link delivery to direct victims to credential harvesting sites built quickly using accessible, often free, no-code platforms.
## Indicators of Compromise
- File Hashes: N/A (Focus is on native file sharing events)
- File Names: Malicious OneNote files residing in the compromised user's personal OneDrive Documents folder.
- Registry Keys: N/A
- Network Indicators: Links redirecting users to credential harvest pages hosted on platforms like **flazio[.]com**, **clickfunnels[.]com**, or **jotform[.]com** (for secondary phishing pages).
- Behavioral Indicators: Unusually high spike in 'Folder shared link created' events originating from a compromised user account compared to historical 90-day activity.
## Associated Threat Actors
- Current threat actors leveraging AI and no-code platforms for efficiency (referred to generally as emerging generations of threat actors).
## Detection Methods
- Signature-based detection: Low effectiveness against the native sharing mechanism itself.
- Behavioral detection: Monitoring for unusual 'Folder shared link created' event volumes from internal accounts. Monitoring for redirects from legitimate M365 documents to external, known phishing/no-code hosting sites.
- YARA rules: Not specified for the technique, but potentially applicable to document content hosted on OneDrive.
## Mitigation Strategies
- **Enforce MFA and Conditional Access:** Critically important to prevent account takeover and limit damage if credentials are stolen.
- **Review and Tighten M365 Sharing Settings:** Limit excessive external and internal file exposure privileges.
- **Set Alerts for Unusual File Sharing Behavior:** Configure monitoring for anomalous creation of sharing links by specific users.
- **Security Awareness Training:** Focus training to specifically address internal phishing originating from trusted platforms (OneNote, OneDrive shared links) rather than just external emails.
- **Make Reporting Easy:** Ensure clear and accessible channels for users to report suspicious internal activity.
## Related Tools/Techniques
- **Phishing Landing Pages:** Flazio, ClickFunnels, JotForm (used to build convincing, quickly deployed replica login portals).
- **Delivery Vehicle:** Microsoft OneNote (chosen for its lack of built-in VBA macro scrutiny).
- **Lateral Spread Mechanism:** Native M365 file sharing features (OneDrive).