Cyber Security Alert: Phishing campaign impacting NZ organisations

The NCSC is aware of a multi-stage phishing campaign currently impacting New Zealand organisations, active since at least 05 June 2024.

Compromised user accounts are being used to send phishing emails which may originate from trusted or known contacts. These are being sent via Microsoft OneDrive/SharePoint sharing invitations, in an effort to redirect users to malicious websites and harvest credentials or session tokens.

Organisations are urged to monitor for this activity and remind their staff to be vigilant of any sharing links received, especially from external domains. Additionally, consider any further security controls which may be applied to help mitigate this activity.

The following Microsoft blog(external link) post provides advice on how to detect and mitigate this type of activity.

Additional resources:

Token tactics: How to prevent, detect, and respond to cloud token theft | Microsoft Security Blog(external link)

From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud | Microsoft Security Blog(external link)

If your organisation has seen or does see evidence of compromise related to this activity, please contact ncscincidents@ncsc.govt.nz.

Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.

For more NCSC NZ updates, follow us on LinkedIn(external link).