Security News File hosting services misused for identity phishing

Gandalf_The_Grey

Gandalf_The_Grey

Level 82
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,189
Content source
https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/
Microsoft has observed campaigns misusing legitimate file hosting services increasingly use defense evasion tactics involving files with restricted access and view-only restrictions. While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants. These campaigns are intended to compromise identities and devices, and most commonly lead to business email compromise (BEC) attacks to propagate campaigns, among other impacts such as financial fraud, data exfiltration, and lateral movement to endpoints.

Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files. However, the widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.
Click to expand...
An example attack chain is provided below, depicting the updated defense evasion techniques being used across stages 4, 5, and 6:

Attack chain diagram. Step 1, attacker compromises a user of a trusted vendor via password spray/AiTM attack. Step 2, attacker replays stolen token a few hours later to sign into the user’s file hosting app. Step 3, attacker creates a malicious file in the compromised user’s file hosting app. Step 4, attacker shares the file with restrictions to a group of targeted recipients. Step 5, targeted recipient accesses the automated email notification with the suspicious file. Step 6, recipient is required to re-authenticate before accessing the shared file. Step 7, recipient accesses the malicious shared file link, directing to an AiTM page. Step 8, recipient submits password and MFA, compromising the user’s session token. Lastly, step 9, file shared on the compromised user’s file hosting app is used for further AiTM and BEC attacks.
Click to expand...
www.microsoft.com

File hosting services misused for identity phishing | Microsoft Security Blog

Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and...
www.microsoft.com www.microsoft.com
 
  • Wow
Reactions: silversurfer

Similar threads

enaph
    • +Reputation
    • Like
    • Wow
Scams & Phishing News Microsoft “Poisons” Phishing Data With Fake Creds to Catch Hackers
Replies
0
Views
1,331
Security News
enaph
enaph
enaph
    • +Reputation
    • Like
Security News Apple Safari Flaw “HM Surf” Allows Unauthorized Data Access on macOS
Replies
0
Views
1,322
Security News
enaph
enaph
silversurfer
    • Like
    • +Reputation
Malware News Pikabot Malware Surfaces as Qakbot Replacement for Black Basta Attacks
Replies
0
Views
1,247
Security News
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top