CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Phishing in the Cloud

Credential phishing is one of the leading threats faced by organizations today. Threat actors use phishing emails to harvest corporate account credentials that they use to gain a foothold in an organization using ever-evolving and innovative techniques to evade detection.

The dangers of phishing are often understated.  A compromised Office 365 email account not only allows for attackers to leverage the reputation of the account to send spam, but it also enables them to read the victim’s emails and perform impersonation attacks like Business Email Compromise (BEC). Further, with the emergence of cloud office productivity and multi-user collaboration technologies, it enables the attacker to host and share malicious documents, files and even malware on the cloud infrastructure of these reputable domains, while staying under the radar.

Since mid-last year, we have observed an increase in “multi-stage” phishing attacks where threat actors leverage online cloud services. In the first stage, a phishing email is sent to the victim with a link to a legit cloud service hosting a fake document with a link or a button leading to the second stage phishing page where the credentials are harvested.

In this scheme threat actors typically use fake invoice phishing emails containing embedded links to legit office productivity and file-sharing cloud services like Microsoft OneDrive, SharePoint, OneNote, Sway, etc. These links have a very low detection on VT. These forged emails are mostly handcrafted and appear to be coming from legit businesses with real logos, addresses, and names as shown in Figures 1 and 2. However, in some cases, the emails are generated using cloud services themselves e.g. by utilizing the file share options of OneDrive and SharePoint as shown in Figure 3.



Figure 1: Initial phishing lure email with an embedded button inviting victims to view the files



Figure 2: Initial Fake phishing email inviting the victim to click on the link. Notice the name, logo and address of legit businesses being used



Figure 3: Fake ACH Payment phishing email generated using the Microsoft OneDrive file share option and sent to multiple users.


In some cases, compromised office 365 corporate accounts are used to conduct the scam. Doing so gives the attackers the vantage point of (a) sending the initial phishing email lure message through a legit Microsoft office 365 corporate account and (b) hosting the first stage phishing invoice PDF using Microsoft cloud services like OneDrive, OneNote etc. A flow chart of the scam is shown in Figure 4.


Figure 4: Flow of the Phishing campaign


The first stage phish is often a fake invoice or secure document PDF hosted on cloud services. This document can be downloaded however, the important thing to note here is, in order to allow ease of use, these cloud services open the PDF for viewing allowing it to load in the web browser without any restriction or warning.

These PDFs are often made to look like HTML pages and contain a link or a button inviting the user to click on it. Clicking on the link does not warn or notify the victim that they are being redirected away from the cloud service. If you had tried to open the PDF in Adobe Reader and click the link, you would get a warning that the document is trying to connect to a web URL. But in the browser, there are no such warnings and the user may not even realize they are viewing a PDF file. This First stage phishing hosted in the cloud using Microsoft’s SharePoint and OneNote is shown in Figures 5-8.



Figure 5: First-stage Phishing PDF hosted on MS SharePoint that can be downloaded or viewed and clicked on directly.



Figure 6: First-stage Phishing message hosted on MS OneNote that can be downloaded or viewed and clicked on directly.



Figure 7: First-stage Phishing PDF hosted on MS OneNote that can be downloaded or viewed and clicked on directly.



Figure 8: First-stage Phishing message hosted on MS OneNote that can be downloaded or viewed and clicked on directly.


Cloud services like MS SharePoint, OneDrive and OneNote, etc. allow several options for file collaboration and file sharing. This includes options to share the file with view or edit rights with collaborators within the organization or external to the organization. Here collaborators can be known recipients or unknown guest recipients. Any Office 365 user with sufficient privileges can click on a file or folder and choose the share option that sends a link to a recipient person or a group that the user specifies. The recipients can then authenticate using their Office 365 credentials to access the file. Additionally, Office 365 users can share files and folders with anyone without any authentication, by generating special links using the “Share with Anyone with the link” option. Anyone with this link can access the file, however, the file is not publicly searchable to anyone on the web. At an organizational level, admins need to edit permissions for “Anyone” links to be enabled.

We have also witnessed phishing attacks that leverage lesser-known cloud services. One is Microsoft Sway, which is a document, presentation and newsletter publishing system Figures 9-11. Another is Proposal Page, a proposal building software shown in Figure 12 and which is an office productivity and collaboration tool shown in Figure 13, to host the second stage phishing document.



Figure 9: First-stage Phishing page hosted on MS Sway



Figure 10: First-stage Phishing page hosted on MS Sway



Figure 11: First-stage Phishing page hosted on MS Sway



Figure 12: First-stage Phishing page hosted on Proposal Page Cloud services



Figure 13: First-stage Phishing page hosted on


Clicking the link on the first-stage phishing invoice page leads to the second-stage phishing page. The second and final page of this scam is a standard Office 365 credential phishing page as shown in Figure 14. This page is used to harvest corporate Office 365 account credentials from victim employees and use this for further gains. This page is usually hosted on compromised websites external to the cloud infrastructure used to host the first stage of the attack.


Figure 14: Standard Office 365 credential phishing page that serves as the second and final stage of this multi-staged phishing attack and is designed to harvest employee account credentials and send them to the threat actors



Threat actors are using new and innovative techniques to evade detection at email gateways to target their victims with phishing messages. One such method is to use multi-stage phishing enabled by reputable cloud infrastructure providers. In the first stage of the attack, the scammers send a phishing email that has a link to a fake document hosted in the cloud. This document opens in the web browser and contains a link. Once clicked, the link takes the victim to the second-stage phishing page that is a standard Office 365 credential phishing page designed to harvest corporate account credentials of employees.

Using legit cloud infrastructure enables the perpetrators to stay under the radar and effectively redirect the victim to the credential phishing page. It piggybacks on the good reputation of cloud infrastructure providers and makes it less likely that URLs will be blacklisted. It hides URLs inside of documents, further thwarting easy detection. It also gives the attacker confidence that both links were clicked by a human using email notification feedback from services like OneDrive that notify the senders whenever the recipient/victim opens the link thus confirming that the phishing message reached its destination successfully. Finally, it successfully evades any external URL clicking checks, notifications or warnings that may exist in PDF readers like Adobe Reader.

As a security mitigation strategy, organizations should consider disabling organization-level external sharing especially using the unauthenticated “Anyone” option. This will inhibit the misuse of the cloud service by potential threat actors, as shown below, where we mocked up a phishing page but were unable to send a link via email due to organization policy.



Latest SpiderLabs Blogs

Fake Dialog Boxes to Make Malware More Convincing

Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...

Read More

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures...

Read More