Microsoft: ‘File hosting services misused for identity phishing’
Hackers and cybercriminals increasingly use file-sharing services to deploy malicious files and links and circumvent traditional security measures.
Security researchers at Microsoft are warning businesses that threat actors are misusing file hosting services like SharePoint, OneDrive, and Dropbox to get their hands on login credentials and compromise identities and devices. The goal is to exfiltrate sensitive corporate data, commit financial fraud, and gain privileged access within a corporate network.
“While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants,” Microsoft says in a security blog post.
Since mid-April 2024, Microsoft Threat Intelligence found that threat actors are using several tactics, techniques and procedures (TTPs) to evade defense mechanisms that are implemented in file sharing services.
Typically, an attack begins by compromising an account from a trusted vendor. Then the threat actor uploads a malicious file to the vendor’s file hosting service and shares it with the target organization.
In this part of the process, it’s important to understand that in order to evade the security measures within the file-sharing service, the file has to have restrictions. Either the shared file has restricted access, meaning the recipient has to be signed in or re-authenticate his identity by entering his email along with a one-time password (OTP). Or the shared file is set to ‘view-only’ mode, making it impossible to download files and run a security check.
“These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted,” Microsoft says.
Once a file is shared, the file-sharing service sends an automated email notification to the recipient. He has to enter his email address and OTP before he can view the document that was sent to him.
However, the ‘View my message’ button masquerades as a malicious link and redirects the user to an adversary-in-the-middle (AiTM) phishing page, where he has to provide his password and complete multi-factor authentication (MFA). The attacker gains a token that grants him access to the account of his target. The threat actor can then leverage the compromised token to perform the second stage Business Email Compromise (BEC) attack and continue the spear-phishing campaign.
To reduce the impact of such attacks, Microsoft recommends enabling Conditional Access Policies in Microsoft Entra or implementing passwordless sign-in with FIDO2 security keys. Another method is to turn on network protection in Microsoft Defender for Endpoint to block connections to malicious domains and IP addresses.
Your email address will not be published. Required fields are marked