Microsoft has issued a warning about cyber attack campaigns that exploit popular file hosting services like SharePoint, OneDrive, and Dropbox in enterprise environments.
These campaigns aim to compromise identities, devices, and execute business email compromise (BEC) attacks, leading to financial fraud, data theft, and lateral movement to other endpoints.
Utilizing legitimate internet services (LIS) as a risk vector allows threat actors to blend in with regular network traffic, bypassing traditional security measures and complicating attribution.
Phishing campaigns leveraging legitimate file hosting services have been on the rise, with threat actors focusing on files with restricted access and view-only permissions since mid-April 2024.
This approach, known as living-off-trusted-sites (LOTS), exploits the trust associated with these platforms to deliver malware and evade email security defenses.
These attacks typically start by compromising a user in a trusted environment to upload malicious files on the hosting service, which are then shared with targets while enforcing strict access controls.
The shared files are set to “view-only” mode, preventing downloads and making it difficult to detect embedded URLs within them.
Recipients are prompted to authenticate themselves with their email address and a one-time password, leading them to a phishing page that steals their credentials and 2FA tokens.
By exploiting these services, threat actors use sophisticated social engineering techniques to expand their reach and perpetrate various scams, including BEC attacks and financial fraud.
A new phishing kit called Mamba 2FA has been detailed, sold as a service to conduct email phishing campaigns mimicking Microsoft 365 login pages.
This kit supports various authentication methods and has been active since November 2023, enabling threat actors to steal credentials and cookies for malicious purposes.
Stay informed about cybersecurity trends by following us on Twitter and LinkedIn.