Microsoft has raised alarms about a surge in cyber attack campaigns that exploit legitimate file hosting services such as SharePoint, OneDrive, and Dropbox. These platforms, commonly utilized in business environments, are being targeted as part of a strategy to evade security measures and conduct Business Email Compromise (BEC) attacks. Such attacks can lead to significant financial fraud, data exfiltration, and unauthorized lateral movements within networks.
Adversaries’ Tactics
The trend of weaponizing legitimate internet services (LIS) has become an increasingly favored tactic among cybercriminals. This approach allows attackers to blend their activities with legitimate network traffic, enabling them to circumvent traditional security defenses while complicating efforts to attribute the attacks.
Microsoft has noted that since mid-April 2024, it has observed a concerning increase in phishing campaigns that utilize file hosting services. These attacks often involve sharing files that have restricted access and view-only permissions.
Phishing Attack Dynamics
These BEC attacks typically initiate with the compromise of a user account belonging to a trusted vendor. The attackers exploit this access to stage malicious files on the file hosting service, which are then shared with targeted entities. Microsoft explained, “The files sent through the phishing emails are configured to be accessible solely to the designated recipient.” This means that recipients must either be signed in to the service or authenticate themselves using a one-time password (OTP) sent via a notification service.
Files shared in these phishing schemes are set to “view-only” mode, which prevents recipients from downloading them or detecting embedded malicious URLs.
When a recipient attempts to access the shared file, they are prompted to verify their identity by providing their email address and the OTP sent to their email account. Once authorized, the recipient is directed to click on another link to view the actual content, which ultimately leads them to an adversary-in-the-middle (AitM) phishing page. This page is designed to capture their password and two-factor authentication (2FA) tokens.
Consequences of Compromise
The successful execution of these tactics allows threat actors not only to gain control over the compromised accounts but also to carry out further scams, including BEC attacks and financial fraud.
Microsoft’s Threat Intelligence team noted that while these campaigns are generic and opportunistic, they employ advanced techniques for social engineering, evasion of detection, and expanding the reach of threat actors to other accounts and tenants.
Emerging Threats and Solutions
This warning comes as Sekoia revealed a new AitM phishing kit called Mamba 2FA, which is marketed as phishing-as-a-service (PhaaS) for other cybercriminals. This kit facilitates email phishing campaigns by using HTML attachments that mimic Microsoft 365 login pages. Offered on a subscription basis for $250 per month, Mamba 2FA supports various authentication methods, including Microsoft Entra ID and third-party SSO providers. Active since November 2023, it is capable of handling non-phishing-resistant MFA methods like one-time codes and app notifications. Stolen credentials and cookies are immediately relayed to the attacker via a Telegram bot.
Conclusion
As businesses continue to rely on legitimate file hosting services, the potential for cybercriminals to exploit these platforms for malicious purposes remains high. Organizations are urged to bolster their security measures and remain vigilant against evolving threats in the cyber landscape.
Related Topic:
Embracing Neurodiversity: A Catalyst for Positive Business Transformation
Incentivizing Performance: The Advantages of Growth Shares for Shropshire Businesses
