We are seeing a new variation of phishing attack that’s leveraging a users trust of legitimate file sharing services (Dropbox and Egnyte specifically) to increase the effectiveness of their phishing campaigns. We have included similar techniques in a number of recent phishing engagements for clients and have seen a significant increase in the number of targets who open the email, click the links and ultimately submit data or download a payload (virus, malware, ransomware, etc.) when a legitimate file sharing site was used. Below is a quick run through of the attack with some pointers and hints to avoid becoming a victim.
The initial email is typically simple text with a link to an important file shared on Dropbox, Egnyte or something similar. Hovering over the link confirms that it’s going to the legitimate [Dropbox or Egnyte] site.
After clicking on the link, the victim is taken to the legitimate file sharing site that the attacker has setup using a temporary account. Since it’s the legitimate site, checking the URL, checking for the SSL / TLS icon (the lock) and verifying the details further support that it’s (an ugly but) legitimate email. There’s typically a very obvious link (in this case, “ACCESS YOUR SECURED DOCUMENT HERE”) that the attacker wants the victim to click on to continue the attack.
Once the target clicks the link, they are forwarded to a page prompting them to sign in. It’s at this point that things start to go sideways. The site still shows the SSL / TLS lock in the address bar, but is now something other than the original site (but the target is often not paying much attention by this point). In this campaign, the page gives the target the option to sign in with Office365 or “Other Mail”.
If the target opts to sign in with their Office365 account, they’re taken to a page that’s very similar to the legitimate Office365 site and prompted for their phone number or email (typically, the phone number won’t work) and, when it’s entered, they’re prompted for their password. Again, this site is protected with an SSL / TLS certificate (the little lock in the addressbar) but the URL is not Office365 or any Microsoft owned domains.
If the target opts to sign in with “Other Email”, they’re presented with a page that looks similar to many webmail clients (specifically, Outlook Web Access, or OWA), again boasting an SSL / TLS certificate.
This particular phishing email was an example of a credential harvesting attack but we’ve also seen similar attack campaigns being used to distribute malware and ransomware. Because the attacker is leveraging legitimate sites and services as the ‘stepping off point’ for the attack, they’re receiving a much higher success rate because a) the links in the emails aren’t filtered by anti-SPAM or anti-MALWARE and b) the users believe they can trust the sites and services being leveraged.
If you own or manage a business and you don’t have a security awareness program or aren’t sure of the effectiveness of your security awareness training program, we’d love an opportunity to talk about your concerns and see if we may be able to help.