Microsoft Visio files used to conduct dangerous phishing attacks
- Scammers integrate malicious links into Microsoft Visio files
- The files are distributed via compromised email accounts
- The goal of the campaign is to steal Microsoft 365 credentials
Security researchers at Perception Point have discovered a new two-step phishing campaign that aims to steal people’s Microsoft 365 credentials. It includes compromised email accounts, compromised SharePoint accounts, and some convincing (but fake) purchase orders.
The attack starts with a compromised Microsoft SharePoint account, where the criminals upload a file using Microsoft Visio – the company’s tool for creating professional charts and diagrams, creating files with the .VSDX extension.
The scammers would embed a malicious URL in this file that leads to a fake Microsoft 365 login page. Victims who get this far usually try to log into their accounts, thus sharing the login details with the attackers.
Misusing people’s email accounts
The attackers would then compromise someone’s email account and use it to spread the phishing messages. Because these emails would come from otherwise legitimate sources, they are likely to pass email security measures. The content of the message itself consists of your usual phishing content, sharing a fake purchase order or something similar.
In some cases, the scammers also shared another email message as an attachment (.EMI files), all in an attempt to hide the malicious intent lurking in the SharePoint account. When it comes to embezzlements, the crooks have added a new layer to the Visio file itself: the call to action leading to the fake login page can only be clicked while holding down the Control (CTRL) button on the keyboard holds.
“Requesting the Ctrl key input relies on a simple interaction that a human user can perform, effectively bypassing automated systems that are not designed to replicate such behavior,” Perception Point explains in its research.
We don’t know exactly how many companies were targeted or fell victim to this attack, but researchers claim it is in the hundreds, and spread around the world.