Summary:
A campaign has been uncovered by researchers at Netcraft, where actors are using compromised email accounts to send phishing emails to existing contacts. These emails contain shortened URL links (generated using the autode[.]sk URL shortener) that lead to malicious PDF documents hosted on Autodesk Drive, a data-sharing platform. Opening the PDF document presents the end user with a huge “VIEW DOCUMENT” button, which when clicked, redirects to a phishing site designed to impersonate Microsoft’s login form. If the victim falls for the lure and enters their credentials, they are then redirected to a book about real estate investment hosted on Microsoft’s OneDrive. “This may give the victim the impression that this was the document they were intended to receive, possibly leaving them oblivious to the fact that their own Microsoft account has just been compromised,” note researchers at Netcraft.

Security Officer Comments:
The latest campaign seems to be targeted in nature and exploits the existing trust the victim has with the alleged sender. According to researchers at Netcraft, the phishing emails use the compromised user’s real email signature footer and other contact details. Furthermore, the PDF documents also include the sender’s name and the company they work for. Given that the email is coming from a sender that the recipient recognizes and would expect to see, the victim is much more likely to click on the shared document and enter their credentials on the fake login page. With access to Microsoft login credentials, the actors can then gain access to sensitive company data and send even more targeted phishing emails from the compromised Microsoft accounts.

Suggested Corrections:
BEC attacks are harder to defend against than traditional phishing. Because communications are coming from trusted and expected partners, employees will be more likely to fall victim to attacks. In general, users should avoid requests that prey on emotions or arouse a sense of urgency. While emails may be coming from a trusted sender, spelling mistakes and bad grammar seen in normal phishing emails may still be present. To avoid falling victim to BEC yourself, multifactor authentication is recommended on all email accounts. Users should also monitor leaked websites and leverage security tools that monitor for stolen or leaked credentials.

Link(s):
https://www.netcraft.com/blog/autodesk-hosting-pdf-files-used-in-microsoft-phishing-attacks/