Microsoft is warning of cyber assault campaigns that abuse legit file internet hosting providers equivalent to SharePoint, OneDrive, and Dropbox which might be extensively utilized in enterprise environments as a protection evasion tactic.
The tip objective of the campaigns are broad and diverse, permitting menace actors to compromise identities and units and conduct enterprise electronic mail compromise (BEC) assaults, which in the end end in monetary fraud, information exfiltration, and lateral motion to different endpoints.
The weaponization of legit web providers (LIS) is an more and more well-liked threat vector adopted by adversaries to mix in with legit community site visitors in a fashion such that it typically bypasses conventional safety defenses and complicates attribution efforts.
The method can be known as living-off-trusted-sites (LOTS), because it leverages the belief and familiarity of those providers to sidestep electronic mail safety guardrails and ship malware.
Microsoft mentioned it has been observing a brand new development in phishing campaigns exploiting legit file internet hosting providers since mid-April 2024 that contain recordsdata with restricted entry and view-only restrictions.
Such assaults typically start with the compromise of a consumer inside a trusted vendor, leveraging the entry to stage malicious recordsdata and payloads on the file internet hosting service for subsequent sharing with a goal entity.
“The recordsdata despatched by way of the phishing emails are configured to be accessible solely to the designated recipient,” it mentioned. “This requires the recipient to be signed in to the file-sharing service — be it Dropbox, OneDrive, or SharePoint — or to re-authenticate by getting into their electronic mail handle together with a one-time password (OTP) acquired by way of a notification service.”
What’s extra, the recordsdata shared as a part of the phishing assaults are set to “view-only” mode, stopping the flexibility to obtain and detect embedded URLs inside the file.
A recipient who makes an attempt to entry the shared file is then prompted to confirm their id by offering their electronic mail handle and a one-time password despatched to their electronic mail account.
As soon as they’re efficiently approved, the goal is instructed to click on on one other hyperlink to view the precise contents. Nevertheless, doing so redirects them to an adversary-in-the-middle (AitM) phishing web page that steals their password and two-factor authentication (2FA) tokens.
This not solely permits the menace actors to grab management of the account, but in addition use it to perpetuate different scams, together with BEC assaults and monetary fraud.
“Whereas these campaigns are generic and opportunistic in nature, they contain refined strategies to carry out social engineering, evade detection, and increase menace actor attain to different accounts and tenants,” the Microsoft Menace Intelligence staff mentioned.
The event comes as Sekoia detailed a brand new AitM phishing package known as Mamba 2FA that is offered as phishing-as-a-service (PhaaS) to different menace actors to conduct electronic mail phishing campaigns that propagate HTML attachments impersonating Microsoft 365 login pages.
The package, which is obtainable on a subscription foundation for $250 monthly, helps Microsoft Entra ID, AD FS, third-party SSO suppliers, and client accounts. Mamba 2FA has been actively put to make use of since November 2023.
“It handles two-step verifications for non-phishing-resistant MFA strategies equivalent to one-time codes and app notifications,” the French cybersecurity firm mentioned. “The stolen credentials and cookies are immediately despatched to the attacker through a Telegram bot.”
