Microsoft Discovers Increasing Utilization of File Hosting Services in Business Email Compromise Attacks
Microsoft cautions about cyber attack campaigns exploiting lawful file hosting services like SharePoint, OneDrive, and Dropbox that are extensively used in corporate settings as a tactic to evade defense mechanisms.
The ultimate objectives of these campaigns are diverse, enabling threat actors to infiltrate identities and devices, and perpetrate business email compromise (BEC) attacks, leading to financial deception, data theft, and lateral movement to other devices.
The utilization of legitimate internet services (LIS) is a growingly popular danger vector embraced by adversaries to merge with legitimate network traffic in a way that often surpasses conventional security mechanisms and complicates attribution endeavors.
This approach is also known as living-off-trusted-sites (LOTS), as it exploits the trust and familiarity of these services to bypass email security measures and distribute malware.
Microsoft notes a new trend in phishing campaigns since mid-April 2024 that exploit legitimate file hosting services by sharing files with restricted access and view-only permissions.
Such attacks typically start by compromising a user in a trusted vendor, using the access to upload malicious files and payloads on the file hosting service for subsequent sharing with a target organization.
“The files in the phishing emails are set up to be accessible only to the designated recipient,” it explained. “This necessitates the recipient to log into the file-sharing service – whether it’s Dropbox, OneDrive, or SharePoint – or to re-authenticate by entering their email address along with a one-time password (OTP) received via a notification service.”
In addition, the files shared in the phishing schemes are configured in “view-only” mode, preventing the identification and extraction of embedded URLs within the file.
A recipient who tries to access the shared file is then asked to confirm their identity by providing their email address and a one-time password sent to their email account.
Once they are successfully authenticated, the victim is directed to click on another link to view the actual content. However, this action redirects them to a phishing page operated by an adversary-in-the-middle (AitM) that captures their password and two-factor authentication (2FA) codes.
This not only gives the threat actors control over the account, but also empowers them to perpetrate additional scams, including BEC attacks and financial deceit.
“Although these campaigns are generic and opportunistic, they utilize advanced methods to execute social manipulation, evade detection, and extend the reach of threat actors to other accounts and domains,” affirmed the Microsoft Threat Intelligence team.
This development coincides with Sekoia introducing a new AitM phishing kit named Mamba 2FA that’s marketed as phishing-as-a-service (PhaaS) to enable other threat actors to carry out email phishing campaigns involving HTML attachments impersonating Microsoft 365 login pages.
Offered on a monthly subscription of $250, the kit supports Microsoft Entra ID, AD FS, third-party SSO providers, and consumer accounts, and has been actively utilized since November 2023.
“It manages two-step verifications for MFA methods susceptible to phishing like one-time codes and app notifications,” stated the French cybersecurity firm. “The stolen login credentials and cookies are instantly transmitted to the attacker via a Telegram bot.”
About Author
