Alert: TeamTycoon’s Latest SharePoint-Themed Credential Phishing

By /

Listen to this Post

The hacking group TeamTycoon has released a new phishing theme impersonating Microsoft SharePoint. In this campaign, users are presented with a fake SharePoint page displaying downloadable files. When a user clicks “Download,” they are prompted to enter their email and password.

The phishing page is well-crafted, mimicking Microsoft’s design with smooth transitions and protection via fake Cloudflare, adding legitimacy. This highlights the evolving tactics used by cybercriminals to steal credentials and bypass traditional defenses.

You Should Know:

1. Detecting Phishing URLs

Use these commands to analyze suspicious URLs:

  • Linux (curl + whois): 
    curl -I "https://suspicious-url.com" 
whois suspicious-url.com
  • Windows (PowerShell): 
    Invoke-WebRequest -Uri "https://suspicious-url.com" -Method Head

2. Analyzing Fake Cloudflare Protection

Check SSL/TLS certificates:

openssl s_client -connect suspicious-url.com:443 | openssl x509 -noout -text

3. Checking for Phishing Domains

Use PhishTank API (install `jq` for JSON parsing):

curl -s "https://checkurl.phishtank.com/checkurl/" -d "url=http://suspicious-url.com" -d "format=json" | jq

4. Email Header Analysis

If phishing arrives via email, extract headers:

  • Linux (Gmail): 
    grep -i "received: from" email.eml
  • Windows (Command Prompt): 
    findstr /i "received: from" email.eml

5. Blocking Malicious Domains

Add to `/etc/hosts` (Linux) or `C:\Windows\System32\drivers\etc\hosts` (Windows):

0.0.0.0 suspicious-url.com

6. Simulating Phishing Attacks (For Defense Testing)

Use GoPhish (open-source phishing framework):

sudo apt install golang -y 
git clone https://github.com/gophish/gophish.git 
cd gophish 
go build

7. Monitoring Network Traffic

Capture HTTP requests with tcpdump:

sudo tcpdump -i eth0 -w phishing_capture.pcap port 80 or port 443

What Undercode Say

TeamTycoon’s SharePoint phishing campaign demonstrates how attackers exploit trust in SaaS platforms. Defenders must:
– Verify SSL certificates (e.g., openssl).
– Train users to spot fake login prompts.
– Deploy email filters (e.g., SpamAssassin).
– Monitor DNS queries (dnstop on Linux).
– Automate phishing analysis with tools like UrlScan.io.

Expected Output:

HTTP/2 200 
server: fake-cloudflare 
x-powered-by: PHP/7.4

(End of report)

References:

Reported By: Nguyen Nguyen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: