Cybercriminals conduct sophisticated phishing campaigns by exploiting widely-used file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns leverage advanced defence evasion tactics, such as restricting file access and setting view-only permissions, to bypass detection and compromise identities, often leading to business email compromise (BEC) and financial fraud.
Threat actors increasingly take advantage of the trust users place in legitimate file hosting services, sending phishing emails with links to compromised files. These services often relied upon for secure document sharing and collaboration, but they are manipulated to deliver malicious content, making detection more challenging than traditional security measures.
Researchers note that the campaigns have become more sophisticated since April 2024, with threat actors implementing tactics like restricted access and view-only files to evade detection systems.
These phishing emails often target users from trusted vendors or known partners. They lure recipients into accessing malicious files by presenting them as legitimate business documents or urgent requests.
The typical attack begins with a user within a trusted vendor’s organisation being compromised. The attacker then gains access to the user’s file hosting app, such as OneDrive or SharePoint, and creates a malicious file. This file is then shared with specific targets under the guise of a legitimate document, triggering an automated email notification that appears genuine.
Recipients must re-authenticate to view the file, often using the email and a one-time password (OTP). The phishing page masquerades as an official platform, prompting users to provide credentials, which are then exploited in follow-up attacks.
Once a user’s credentials and multi-factor authentication (MFA) tokens are compromised, the threat actor can continue spreading BEC attacks or exfiltrating sensitive data.
“This link redirects the user to an adversary-in-the-middle (AiTM) phishing page, where the user is prompted to provide the password and complete multifactor authentication (MFA). The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign,” researchers said.
Unlike traditional phishing campaigns that might rely on generic links or attachments, these more sophisticated campaigns deploy tactics to reduce the likelihood of detection. Researchers have listed the following key evasion methods:
- Restricted access files: Only the intended recipient can open the file, making it more difficult for analysts or email detonation systems to review its contents.
- View-only permissions: The shared files are configured to be read-only, which prevents the detection of malicious embedded URLs or downloadable content.
- Time-limited access: Files may only be accessible for a short window, further complicating analysis.
These techniques enable attackers to avoid traditional security solutions that rely on file analysis, leaving organisations vulnerable to social engineering attacks.
To mitigate the threat from these campaigns, Microsoft has issued recommendations such as enabling conditional access policies, adopting passwordless sign-in options, deploying network protection, and educating users about the attackers’ tactics.
In August 2024, attackers deployed obj3ctivity Stealer via a Discord link phishing attack.
In July, cyber crooks were found to exploit Proofpoint servers to send millions of phishing emails. Similarly, some hacker groups used Google Cloud for credential phishing.
In the News: DMCA flags lead to quicker removal of non-consensual adult images on X: Research
