AMARU is aware of a multi-stage phishing campaign currently impacting New Zealand organisations, active since at least 05 June 2024.
Compromised user accounts are being used to send phishing emails which may originate from trusted or known contacts. These are being sent via Microsoft OneDrive/SharePoint sharing invitations, in an effort to redirect users to malicious websites and harvest credentials or session tokens.
Organisations are urged to monitor for this activity and remind their staff to be vigilant of any sharing links received, especially from external domains. Additionally, consider any further security controls which may be applied to help mitigate this activity.
The following Microsoft blog post provides advice on how to detect and mitigate this type of activity.
Additional resources:
Token tactics: How to prevent, detect, and respond to cloud token theft | Microsoft Security Blog
If your organisation has seen or does see evidence of compromise related to this activity, please contact [email protected]
About AMARU
AMARU is New Zealand’s leading information security and compliance service provider, offering end-to-end managed cyber security services across Australia and New Zealand. Contact us to find out how AMARU can help you manage and maintain your cybersecurity posture.
