Microsoft is warning of a new phishing campaign that abuses various privacy settings in cloud-based file hosting services to bypass security solutions and steal credentials, deploy malware and more.
In one blog postthe company outlined how criminals abused SharePoint, OneDrive and Dropbox services in their attacks.
First, the attackers would compromise someone’s cloud hosting account: they could buy an account on the black market or obtain the login credentials elsewhere. They then used these credentials to upload a document to one of these services. The document is usually a fake Microsoft 365 login page, which not only serves to steal people’s credentials but also to obtain MFA codes and one-time passwords. Alternatively, the file may contain a link to a malicious site, where victims share their login credentials, download malware to their devices, or something similar.
Abuse of privacy settings
Here’s where things get interesting: cloud-based file hosting services have security solutions that scan for malicious links and files. However, depending on the document’s privacy settings, security solutions may not be allowed to scan it.
“To evade analysis by email blast systems, the files shared in these phishing attacks are set to ‘read-only’ mode, which disables the ability to download and thus the detection of embedded URLs in the file will be disabled,” Microsoft explains.
Alternatively, the hackers could restrict access to the document only to designated recipients, with the same result.
To make matters worse, the threat actors are not distributing these files in the traditional phishing manner. Instead, when the cloud service only grants access to the document to specific accounts, the cloud service sends an email notification to those accounts. As a result, victims receive an email from a trusted source, further increasing the perceived legitimacy of the email.
The best way to protect yourself against such attacks is to use common sense and be extra careful when receiving email messages, regardless of who they come from.
Via The hacker news