Cybercriminals are constantly devising new ways for their phishing pages and other online scams to avoid detection by cloud storage and email security products.
As part of its ongoing Blox Tales series, the cloud office security platform Armorblox has released a new blog post detailing a recent credential phishing attempt its researchers observed where attackers used the cloud storage service Box to host their phishing pages.
The credential phishing attempt began with an email which claimed to come from a third-party vendor and asked users to review a financial document. When a user clicked on the link in the email, it took them to a page hosted on Box which contained a document that claimed to be hosted on OneDrive with another link to access the document.
Clicking on the OneDrive link redirected users to the final credential phishing site which was designed by the cybercriminals behind the campaign to resemble the official Office 365 login portal with footer text designed to create a sense of urgency by informing users that the email link will only be active for a limited time.
Bypassing security controls
The email in this campaign was able to bypass existing email security controls as it didn’t follow the tenets of traditional phishing attacks.
For starters, both the sender name and domain make it appear as if the email came from a legitimate third-party vendor’s account which allowed it to successfully pass any authentication checks. The domain for the email (tidewaterhomefunding[.]com) belongs to a legitimate lending company in Virginia and it’s possible that the attackers first obtained employee credentials from Tidewater Home Funding before launching their campaign.
As the first page in the attack flow was hosted on Box, the campaign leveraged the reputation of the cloud storage provider to get around any filters used to block known bad domains. The fake OneDrive page also included plenty of Microsoft branding in order to create a false sense of security for potential targets.
At the same time, the webpage hosted on Box and the final Office 365 phishing site both used domains that appeared to be legitimate in order to bypass any manual checks that employees may conduct when opening emails.
This is not the first time nor will be it the last time that cybercriminals have devised new ways to get around email security controls which is why employees as well as individuals must remain ever vigilant when opening emails from unknown senders and be on the lookout for any message that tries to create a sense of urgency.