Microsoft is a warning cyberattack campaigns that abuse legitimate file hosting services such as SharePoint, OneDrive, and Dropbox, which are widely used in enterprise environments as a defense evasion tactic.
The companies’ end goals are wide and varied, allowing threat actors to compromise identities and devices and compromise business email (BEC) attacks that ultimately lead to financial fraud, data theft, and lateral movement to other endpoints.
Veanization of legitimate Internet services (LIS) is an increasingly popular risk vector adopted by adversaries to connect to legitimate network traffic in ways that often bypass traditional security protections and complicate attribution efforts.
The approach is also called life outside trusted sites (A LOT) because it uses the trust and familiarity of these services to bypass email security fences and deliver malware.
Microsoft said that since mid-April 2024, it has seen a new trend in phishing campaigns using legitimate file hosting services that include files with limited access and view-only restrictions.
Such attacks often begin with a compromised user within a trusted provider, using access to stage malicious files and payloads on a file hosting service for subsequent sharing with the target.
“Files sent via phishing emails are configured to be accessible only to the designated recipient,” it said. “This requires the recipient to sign in to the file sharing service — be it Dropbox, OneDrive, or SharePoint — or re-authenticate by entering their email address along with a one-time password (OTP) received through the notification service. .”
Moreover, files shared as part of phishing attacks are set to “view-only” mode, which prevents URLs embedded in the file from being downloaded and discovered.
The recipient trying to access the public file is then asked to verify their identity by entering their email address and a one-time password sent to their email account.
After successful authorization, the target will be instructed to click another link to view the actual content. However, this redirects them to the enemy in the middle (AitM) phishing page that steals their password and two-factor authentication (2FA) tokens.
Not only does this allow threat actors to seize control of the account, but it can also be used to perpetuate other scams, including BEC attacks and financial fraud.
“While these campaigns are generic and opportunistic in nature, they involve sophisticated social engineering techniques, evasion of detection, and extension of the threat actor’s reach to other accounts and tenants,” the Microsoft Threat Intelligence team said.
The development came as Sekoia detailed a new AitM phishing kit called Mamba 2FA that is being sold as a Phishing as a Service (PhaaS) to other threat actors to conduct email phishing campaigns that distribute HTML attachments that mimic Microsoft 365 login pages.
Offered on a $250 per month subscription basis, the suite supports Microsoft Entra ID, AD FS, third-party SSO providers, and consumer accounts. Mamba 2FA has been in active use since November 2023.
“It handles two-step verification for phishing-resistant MFA methods such as one-time codes and app notifications,” the French cybersecurity company said. “Stolen credentials and cookies are instantly sent to the attacker via a Telegram bot.”
