A new trend in cyber-attacks is using legitimate cloud services to send and host phishing material. One such method is a fast-growing business email compromise (BEC) attack that uses Dropbox to steal Microsoft SharePoint credentials from thousands of users. This method evades natural language processing (NLP)-based security scans and demonstrates the rapid evolution of these types of attacks.
The campaign messages appear to come directly from Dropbox, informing users they have a file or files to download. Clicking on the link provided in the message takes potential victims to another page where they are instructed to click on a link to start the download. Notably, the page to which users are directed is hosted on a legitimate Dropbox URL but is branded as OneDrive, a Microsoft cloud storage and download service. If users don't pick up on the discrepancy, the link on this secondary page, which pretends to take users to their files or files, leads to a phishing site that looks like a login for Microsoft SharePoint. This final page in the campaign is hosted outside of Dropbox.
Lesson learned:
- A mismatch between receiving an email from a Dropbox domain and receiving a page linking to a OneDrive account should always be a red flag that the Dropbox campaign is malicious
- Dropbox and other file storage services frequently send a direct link that does not require authentication
- Be wary of any email received from cloud services you are not expecting or from unknown sources
- If email is anticipated, it's still a good idea to verify with the sender via an out-of-band email if they, in fact, shared the file. Remember, you never know if the sender you are trusting was not compromised
#ALTACyber
------------------------------
Genady Vishnevetsky
Chief Info Security Officer
Stewart Title Guaranty Company
Houston TX
------------------------------