Credential phishing is one of the leading threats faced by organizations today. Threat actors use phishing emails to harvest corporate account credentials that they use to gain a foothold in an organization using ever-evolving and innovative techniques to evade detection.
The dangers of phishing are often understated. A compromised Office 365 email account not only allows for attackers to leverage the reputation of the account to send spam, but it also enables them to read the victim’s emails and perform impersonation attacks like Business Email Compromise (BEC). Further, with the emergence of cloud office productivity and multi-user collaboration technologies, it enables the attacker to host and share malicious documents, files and even malware on the cloud infrastructure of these reputable domains, while staying under the radar.
Since mid-last year, we have observed an increase in “multi-stage” phishing attacks where threat actors leverage online cloud services. In the first stage, a phishing email is sent to the victim with a link to a legit cloud service hosting a fake document with a link or a button leading to the second stage phishing page where the credentials are harvested.
In this scheme threat actors typically use fake invoice phishing emails containing embedded links to legit office productivity and file-sharing cloud services like Microsoft OneDrive, SharePoint, OneNote, Sway, etc. These links have a very low detection on VT. These forged emails are mostly handcrafted and appear to be coming from legit businesses with real logos, addresses, and names as shown in Figures 1 and 2. However, in some cases, the emails are generated using cloud services themselves e.g. by utilizing the file share options of OneDrive and SharePoint as shown in Figure 3.
Figure 1: Initial phishing lure email with an embedded button inviting victims to view the files
Figure 2: Initial Fake phishing email inviting the victim to click on the link. Notice the name, logo and address of legit businesses being used
Figure 3: Fake ACH Payment phishing email generated using the Microsoft OneDrive file share option and sent to multiple users.
In some cases, compromised office 365 corporate accounts are used to conduct the scam. Doing so gives the attackers the vantage point of (a) sending the initial phishing email lure message through a legit Microsoft office 365 corporate account and (b) hosting the first stage phishing invoice PDF using Microsoft cloud services like OneDrive, OneNote etc. A flow chart of the scam is shown in Figure 4.
Figure 4: Flow of the Phishing campaign
The first stage phish is often a fake invoice or secure document PDF hosted on cloud services. This document can be downloaded however, the important thing to note here is, in order to allow ease of use, these cloud services open the PDF for viewing allowing it to load in the web browser without any restriction or warning.
These PDFs are often made to look like HTML pages and contain a link or a button inviting the user to click on it. Clicking on the link does not warn or notify the victim that they are being redirected away from the cloud service. If you had tried to open the PDF in Adobe Reader and click the link, you would get a warning that the document is trying to connect to a web URL. But in the browser, there are no such warnings and the user may not even realize they are viewing a PDF file. This First stage phishing hosted in the cloud using Microsoft’s SharePoint and OneNote is shown in Figures 5-8.
Figure 5: First-stage Phishing PDF hosted on MS SharePoint that can be downloaded or viewed and clicked on directly.
Figure 6: First-stage Phishing message hosted on MS OneNote that can be downloaded or viewed and clicked on directly.
Figure 7: First-stage Phishing PDF hosted on MS OneNote that can be downloaded or viewed and clicked on directly.
Figure 8: First-stage Phishing message hosted on MS OneNote that can be downloaded or viewed and clicked on directly.
Cloud services like MS SharePoint, OneDrive and OneNote, etc. allow several options for file collaboration and file sharing. This includes options to share the file with view or edit rights with collaborators within the organization or external to the organization. Here collaborators can be known recipients or unknown guest recipients. Any Office 365 user with sufficient privileges can click on a file or folder and choose the share option that sends a link to a recipient person or a group that the user specifies. The recipients can then authenticate using their Office 365 credentials to access the file. Additionally, Office 365 users can share files and folders with anyone without any authentication, by generating special links using the “Share with Anyone with the link” option. Anyone with this link can access the file, however, the file is not publicly searchable to anyone on the web. At an organizational level, admins need to edit permissions for “Anyone” links to be enabled.
We have also witnessed phishing attacks that leverage lesser-known cloud services. One is Microsoft Sway, which is a document, presentation and newsletter publishing system Figures 9-11. Another is Proposal Page, a proposal building software shown in Figure 12 and Notion.so which is an office productivity and collaboration tool shown in Figure 13, to host the second stage phishing document.
Figure 9: First-stage Phishing page hosted on MS Sway
Figure 10: First-stage Phishing page hosted on MS Sway
Figure 11: First-stage Phishing page hosted on MS Sway
Figure 12: First-stage Phishing page hosted on Proposal Page Cloud services
Figure 13: First-stage Phishing page hosted on Notion.so
Clicking the link on the first-stage phishing invoice page leads to the second-stage phishing page. The second and final page of this scam is a standard Office 365 credential phishing page as shown in Figure 14. This page is used to harvest corporate Office 365 account credentials from victim employees and use this for further gains. This page is usually hosted on compromised websites external to the cloud infrastructure used to host the first stage of the attack.
Figure 14: Standard Office 365 credential phishing page that serves as the second and final stage of this multi-staged phishing attack and is designed to harvest employee account credentials and send them to the threat actors
Conclusion
Threat actors are using new and innovative techniques to evade detection at email gateways to target their victims with phishing messages. One such method is to use multi-stage phishing enabled by reputable cloud infrastructure providers. In the first stage of the attack, the scammers send a phishing email that has a link to a fake document hosted in the cloud. This document opens in the web browser and contains a link. Once clicked, the link takes the victim to the second-stage phishing page that is a standard Office 365 credential phishing page designed to harvest corporate account credentials of employees.
Using legit cloud infrastructure enables the perpetrators to stay under the radar and effectively redirect the victim to the credential phishing page. It piggybacks on the good reputation of cloud infrastructure providers and makes it less likely that URLs will be blacklisted. It hides URLs inside of documents, further thwarting easy detection. It also gives the attacker confidence that both links were clicked by a human using email notification feedback from services like OneDrive that notify the senders whenever the recipient/victim opens the link thus confirming that the phishing message reached its destination successfully. Finally, it successfully evades any external URL clicking checks, notifications or warnings that may exist in PDF readers like Adobe Reader.
As a security mitigation strategy, organizations should consider disabling organization-level external sharing especially using the unauthenticated “Anyone” option. This will inhibit the misuse of the cloud service by potential threat actors, as shown below, where we mocked up a phishing page but were unable to send a link via email due to organization policy.
