If someone shares a file on SharePoint, OneDrive, Dropbox, or any other legitimate file hosting service, beware – it may be a phishing attack designed to bypass defenses.
Microsoft Threat Intelligence warns that threat actors are increasingly misusing file-sharing services, which are widely used for storing, sharing, and collaborating on files. Phishing attack campaigns attempt to steal credentials and multifactor authentication tokens.
Attackers bypass defenses by sharing access to view-only or restricted documents that can be opened by a specific person – their target. Victims receive automated email notifications, prompting them to authenticate. A social engineering campaign encourages users to click on a link in a document, which leads to an adversary-in-the-middle (AiTM) phishing page.
“While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants,” Microsoft warns.
Such attacks often result in compromised identities and devices and also lead to business email compromise attacks, which may have far-reaching consequences, such as financial fraud, data exfiltration, and lateral movement to other endpoints.
Typical attack chain starts with account compromise
The new campaigns started in mid-April 2024 and are different from traditional phishing campaigns, which rely on file delivery via email attachments or links.
Instead, threat actors use legitimate services to share files with restricted access or files with view-only restrictions.
- Restricted files are configured to be accessible solely to the designated recipient who needs to be singed into the particular sharing service, such as Dropbox, OneDrive, or SharePoint.
- Files with view-only restrictions bypass email security systems, disabling the ability to download and detect embedded URLs within the file.
Initially, an attacker needs to have a compromised account from a different user within a trusted vendor. Then, the threat actor hosts a file on the vendor’s file hosting service, which is then shared with a target organization.
This approach is particularly effective because recipients tend to trust emails from known vendors. And security systems often add trusted vendors to allow lists.
Cybercrooks craft their hosted files following some patterns – they contain familiar topics, usually based on existing conversations, current context, and urgency. The file name could be “Audit Report 2024,” if previous interactions were related to an audit.
Other examples include “IT Filing Support 2024”, “Forms related to Tax submission,” “Troubleshooting guidelines,” “Urgent: Attention Required,” and “Compromised Password Reset.”
Instead of a phishing email, victims receive an automated email notification about the sharing action. The intended recipient needs to re-authenticate before accessing the file, which is accessible only for a limited time window.
When the targeted user tries to access the shared file, they are prompted to verify their identity and enter an OTP (One-Time Password) code. The authorized user then can view a document that often masquerades as a preview. It contains a malicious link, often disguised as a “View my message” access link.
The malicious link redirects the user to an adversary-in-the-middle (AiTM) phishing page. Here again, the user is prompted to provide the password and complete multifactor authentication (MFA).
The obtained credentials and tokens can then be leveraged to target other users or the second stage of a business email compromise attack.
Microsoft said it takes action against malicious users violating the Microsoft Services Agreement in how they use apps like SharePoint and OneDrive. The company also works with third parties like Dropbox to share threat intelligence.
Your email address will not be published. Required fields are markedmarked