Microsoft is warning of cyber assault campaigns that abuse official file internet hosting providers equivalent to SharePoint, OneDrive, and Dropbox which can be extensively utilized in enterprise environments as a protection evasion tactic.
The top aim of the campaigns are broad and diversified, permitting risk actors to compromise identities and gadgets and conduct enterprise e-mail compromise (BEC) assaults, which in the end end in monetary fraud, knowledge exfiltration, and lateral motion to different endpoints.
The weaponization of official web providers (LIS) is an more and more common danger vector adopted by adversaries to mix in with official community visitors in a way such that it usually bypasses conventional safety defenses and complicates attribution efforts.
The method can also be referred to as living-off-trusted-sites (LOTS), because it leverages the belief and familiarity of those providers to sidestep e-mail safety guardrails and ship malware.
Microsoft mentioned it has been observing a brand new development in phishing campaigns exploiting official file internet hosting providers since mid-April 2024 that contain information with restricted entry and view-only restrictions.
Such assaults usually start with the compromise of a person inside a trusted vendor, leveraging the entry to stage malicious information and payloads on the file internet hosting service for subsequent sharing with a goal entity.
“The files sent through the phishing emails are configured to be accessible solely to the designated recipient,” it mentioned. “This requires the recipient to be signed in to the file-sharing service — be it Dropbox, OneDrive, or SharePoint — or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service.”
What’s extra, the information shared as a part of the phishing assaults are set to “view-only” mode, stopping the flexibility to obtain and detect embedded URLs inside the file.
A recipient who makes an attempt to entry the shared file is then prompted to confirm their identification by offering their e-mail deal with and a one-time password despatched to their e-mail account.
As soon as they’re efficiently approved, the goal is instructed to click on on one other hyperlink to view the precise contents. Nonetheless, doing so redirects them to an adversary-in-the-middle (AitM) phishing web page that steals their password and two-factor authentication (2FA) tokens.
This not solely allows the risk actors to grab management of the account, but additionally use it to perpetuate different scams, together with BEC assaults and monetary fraud.
“While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants,” the Microsoft Risk Intelligence crew mentioned.
The event comes as Sekoia detailed a brand new AitM phishing equipment referred to as Mamba 2FA that is bought as phishing-as-a-service (PhaaS) to different risk actors to conduct e-mail phishing campaigns that propagate HTML attachments impersonating Microsoft 365 login pages.
The equipment, which is obtainable on a subscription foundation for $250 per 30 days, helps Microsoft Entra ID, AD FS, third-party SSO suppliers, and shopper accounts. Mamba 2FA has been actively put to make use of since November 2023.
“It handles two-step verifications for non-phishing-resistant MFA methods such as one-time codes and app notifications,” the French cybersecurity firm mentioned. “The stolen credentials and cookies are instantly sent to the attacker via a Telegram bot.”
