File Hosting Services Misused for Identity Phishing
Summary:
Actors are increasingly misusing legitimate file hosting services in campaigns intended to conduct identity phishing, commonly leading to business email compromise attacks. SharePoint, OneDrive, and Dropbox are some of the common services being exploited. With such services being widely used by organizations for storing, sharing, and collaborating on files, actors seek to exploit the trust and familiarity associated with these services to trick end users into clicking on malicious links or attachments, with the end goal of compromising credentials and other authentication data.
In the latest campaigns observed by Microsoft, the attack chain initiates by compromising a user of a trusted vendor via a password spray/AiTM attack. Those credentials are then used to sign into the user’s file-hosting application (SharePoint, OneDrive, Dropbox, etc.). From here the actor will proceed to create a malicious file on the user’s file hosting application and further share it with a group of targeted recipients. When the file is shared, an automated email notification is typically sent to the victim with a link to access the file securely.
“This email is not a phishing email but a notification for the user about the sharing action. In scenarios involving SharePoint or OneDrive, the file is shared from the user’s context, with the compromised user’s email address as the sender. However, in the Dropbox scenario, the file is shared from no-reply@dropbox[.]com. The files are shared through automated notification emails with the subject: “<User> shared <document> with you,” states Microsoft.
According to Microsoft, actors have deployed the following techniques to evade detection from email security solutions:
Security Officer Comments:
Given that organizations will typically add trusted vendors to their email allow lists, this enables phishing emails to be successfully delivered, in the event of a compromise. The hosted files observed in the latest campaign use familiar topics that are based on existing conversations between the vendor and an organization. For example, if the two organizations have prior interactions related to an audit, the shared files could be named “Audit Report 2024”. In cases where the files shared are not coming from a trusted vendor, the actors will masquerade as IT support or help desk personnel. These actors will also employ a sense of urgency by using file names such as “Urgent:Attention Required” and “Compromised Password Reset”. Overall, by employing such lures and hosting these malicious files on platforms like SharePoint, OneDrive, and Dropbox, which are often used within organizations, end-users are more likely to fall victim and have their email accounts compromised.
Suggested Corrections:
Recommendations from Microsoft:
https://www.microsoft.com/en-us/sec...sting-services-misused-for-identity-phishing/
Actors are increasingly misusing legitimate file hosting services in campaigns intended to conduct identity phishing, commonly leading to business email compromise attacks. SharePoint, OneDrive, and Dropbox are some of the common services being exploited. With such services being widely used by organizations for storing, sharing, and collaborating on files, actors seek to exploit the trust and familiarity associated with these services to trick end users into clicking on malicious links or attachments, with the end goal of compromising credentials and other authentication data.
In the latest campaigns observed by Microsoft, the attack chain initiates by compromising a user of a trusted vendor via a password spray/AiTM attack. Those credentials are then used to sign into the user’s file-hosting application (SharePoint, OneDrive, Dropbox, etc.). From here the actor will proceed to create a malicious file on the user’s file hosting application and further share it with a group of targeted recipients. When the file is shared, an automated email notification is typically sent to the victim with a link to access the file securely.
“This email is not a phishing email but a notification for the user about the sharing action. In scenarios involving SharePoint or OneDrive, the file is shared from the user’s context, with the compromised user’s email address as the sender. However, in the Dropbox scenario, the file is shared from no-reply@dropbox[.]com. The files are shared through automated notification emails with the subject: “<User> shared <document> with you,” states Microsoft.
According to Microsoft, actors have deployed the following techniques to evade detection from email security solutions:
- Only the intended recipient can access the file.
- In this case, the user is prompted to verify their identity by providing their email address.
- The intended recipient further needs to re-authenticate via one-time passwords (OTP).
- The file is accessible only for a limited time window.
- The PDF shared in the file cannot be downloaded
Security Officer Comments:
Given that organizations will typically add trusted vendors to their email allow lists, this enables phishing emails to be successfully delivered, in the event of a compromise. The hosted files observed in the latest campaign use familiar topics that are based on existing conversations between the vendor and an organization. For example, if the two organizations have prior interactions related to an audit, the shared files could be named “Audit Report 2024”. In cases where the files shared are not coming from a trusted vendor, the actors will masquerade as IT support or help desk personnel. These actors will also employ a sense of urgency by using file names such as “Urgent:Attention Required” and “Compromised Password Reset”. Overall, by employing such lures and hosting these malicious files on platforms like SharePoint, OneDrive, and Dropbox, which are often used within organizations, end-users are more likely to fall victim and have their email accounts compromised.
Suggested Corrections:
Recommendations from Microsoft:
- Enable Conditional Access policies in Entra.
- Use identity-driven signals for sign-in evaluation.
- Protect with compliant devices and trusted IPs.
- Start with security defaults if needed.
- Implement continuous access evaluation.
- Use passwordless sign-in with FIDO2 keys.
- Turn on network protection in Defender for Endpoint.
- Implement Mobile Threat Defense for devices.
- Block malicious websites with Edge, and emails with Defender 365.
- Monitor suspicious activities in Entra ID Protection.
- Investigate suspicious sign-ins.
- Educate users on secure file-sharing risks.
https://www.microsoft.com/en-us/sec...sting-services-misused-for-identity-phishing/