File Hosting Services Exploited for Identity Theft Phishing Attacks

Published:

Understanding the Evolving Threat Landscape: Misuse of Legitimate File Hosting Services

In the digital age, where collaboration and file sharing are integral to business operations, the rise of cyber threats exploiting legitimate file hosting services has become a pressing concern. Microsoft has recently observed a surge in campaigns that misuse platforms like SharePoint, OneDrive, and Dropbox, employing sophisticated defense evasion tactics to compromise identities and devices. This article delves into the intricacies of these campaigns, the techniques employed by threat actors, and the recommended actions organizations can take to safeguard their digital assets.

The Allure of Legitimate Hosting Services

Legitimate file hosting services are widely embraced by organizations for their convenience in storing, sharing, and collaborating on files. However, this widespread adoption has also made them attractive targets for cybercriminals. By leveraging the trust and familiarity associated with these platforms, threat actors can deliver malicious files and links while evading traditional security measures. The result is a landscape where phishing attacks are not only more frequent but also increasingly sophisticated.

The Attack Chain: A Closer Look

Phishing campaigns exploiting legitimate file hosting services have gained traction in recent years, primarily due to their effectiveness. These attacks often begin with the compromise of a user within a trusted vendor. Once a threat actor gains access to a vendor’s account, they can host malicious files on the vendor’s file hosting service and share them with target organizations. This tactic is particularly effective as recipients are more likely to trust emails from known vendors, allowing threat actors to bypass security measures.

Initial Access

The initial access phase typically involves the use of familiar topics based on existing conversations or urgent requests. For instance, if two organizations have previously interacted regarding an audit, the shared file might be named “Audit Report 2024.” Alternatively, threat actors may impersonate IT support personnel, using file names like “IT Filing Support 2024” or “Compromised Password Reset” to create a sense of urgency.

Defense Evasion Techniques

Once the malicious files are shared, threat actors employ various defense evasion techniques to circumvent detection. These include:

  1. Files with Restricted Access: The files are configured to be accessible only to the intended recipient, requiring them to sign in or re-authenticate with a one-time password (OTP) before accessing the content.

  2. View-Only Restrictions: By setting files to ‘view-only’ mode, threat actors prevent recipients from downloading the files, making it difficult for security systems to analyze the content for embedded malicious links.

These tactics complicate the detection and analysis of phishing attempts, as the files are often shared through automated notifications that appear legitimate.

Identity Compromise

When a targeted user attempts to access the shared file, they are prompted to verify their identity by providing their email address. An OTP is then sent, and upon submission, the user is granted access to a document that often contains a malicious link. This link typically redirects the user to an adversary-in-the-middle (AiTM) phishing page, where they are prompted to provide their password and complete multifactor authentication (MFA). This compromised token can then be exploited by the threat actor to launch further attacks, including business email compromise (BEC) schemes.

Recommended Actions for Organizations

To mitigate the risks associated with these sophisticated campaigns, Microsoft recommends several proactive measures:

  1. Enable Conditional Access Policies: Implement risk-based access policies in Microsoft Entra to evaluate sign-in requests using additional identity-driven signals. This can help organizations protect against attacks leveraging stolen credentials.

  2. Implement Continuous Access Evaluation: This ensures that access decisions are continuously evaluated based on real-time risk assessments.

  3. Adopt Passwordless Sign-In: Utilizing Microsoft Entra passwordless sign-in with FIDO2 security keys can enhance security by eliminating the reliance on traditional passwords.

  4. Activate Network Protection: Enable network protection in Microsoft Defender for Endpoint to block connections to known malicious domains and IP addresses.

  5. Leverage Microsoft Defender for Office 365: Utilize this tool to detect and block malicious emails, links, and files, while also monitoring for suspicious activities in Microsoft Entra ID Protection.

  6. Educate Users: Conduct training sessions to raise awareness about the risks associated with secure file sharing and the importance of scrutinizing emails from trusted vendors.

Conclusion

As cyber threats continue to evolve, organizations must remain vigilant and proactive in their defense strategies. By understanding the tactics employed by threat actors and implementing the recommended actions, businesses can better protect themselves against sophisticated phishing campaigns that exploit legitimate file hosting services. In a landscape where security is a collective responsibility, collaboration and awareness are key to safeguarding digital assets and maintaining trust in the tools we use every day.

For further insights and updates on the latest security research, organizations can follow the Microsoft Threat Intelligence Blog and engage with the community on social media platforms. By staying informed and prepared, businesses can navigate the complexities of the digital threat landscape with confidence.

Related articles

Recent articles