Microsoft: Creative Abuse of Cloud Files Bolsters BEC Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft: Creative Abuse of Cloud Files Bolsters BEC Attacks


Since April, attackers have increased their use of Dropbox, OneDrive, and SharePoint to steal the credentials of business users and conduct further malicious activity.



Threat actors are upping the ante on
business email compromise
(BEC) campaigns by combining social engineering with the use of legitimate, cloud-based
file-hosting services
to create more convincing attacks; the campaigns bypass common security protections and ultimately compromise the identity of enterprise users.
Since April, Microsoft has seen a rise in campaigns that have emerged over the past two years in which attackers weaponize legitimate file-sharing services like
Dropbox
,
OneDrive
, or
SharePoint,
which many enterprises use for workforce collaboration, Microsoft Threat Intelligence
warned this week
.
The widespread use of such services … makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures, according to the Microsoft Threat Intelligence blog post.
Attackers are combining their use with social engineering in campaigns that target trusted parties in a business users network, and base lures on familiar conversation topics. Threat actors are thus successfully phishing credentials for business accounts, which they then use to conduct further malicious activity, such as financial fraud, data exfiltration, and lateral movement to endpoints.
Trusted cloud services are an increasingly weak enterprise security link. Indeed, various researchers have discovered attackers — including advanced persistent threat (APT) groups — using legitimate file-sharing services to deliver
remote access Trojans
(RATs) and
spyware
, among other malicious activity.
According to Microsoft, A common attack scenario begins with the compromise of a user within an enterprise. The threat actor then uses that victims credentials to host a file on that organizations
file-hosting service
and share it with the real target: those within an external organization that have trusted ties to the victim.
Attackers are specifically using Dropbox,
OneDrive,
or SharePoint files with either restricted access or view-only restrictions to evade common detection systems and provide a launching pad for credential-harvesting activity. The former requires the recipient to be signed in to the file-sharing service … or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service, establishing a trust relationship with the content. The latter can bypass analysis by email detonation systems, by disabling the ability to download and consequently, the detection of embedded URLs within the files, according to Microsoft. These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted.
To further ensure this bypass, attackers also use other techniques, including only allowing the intended recipient to view the file, or making the file accessible only for a limited time.
This misuse of legitimate file-hosting services is particularly effective because recipients are more likely to trust emails from known vendors, according to Microsoft. Indeed, users from trusted vendors are added to allow lists through policies set by the organization on collaboration products used with the service, such as Exchange Online, so emails that are linked to phishing attacks pass through undetected.
After the files are shared on the hosting service, the targeted business user receives an automated email notification with a link to access the file securely. This is a legitimate notification about activity on the file-sharing service, so the email bypasses any protections that might have blocked a suspicious message.
When the targeted user accesses the shared file, he or she is prompted to verify identity by providing their email address, after which the address [email protected][.]com sends a one-time password that the user can input to view the document.
That document often masquerades as a preview with another link purporting to allow the user to view the message, according to Microsoft. However, it actually redirects the user to an
adversary-in-the-middle (AiTM) phishing page
that prompts the user is prompted to provide the password and complete the multifactor authentication (MFA) challenge.
The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign, according to Microsoft.
Hosted files typically use lures to subject matter that would be a familiar topic or use familiar context based on an existing conversation held between employees of the organizations that the threat actor would be able to access thanks to the prior compromise of the anchor victim. For example, if two organizations have prior interactions related to an audit, the malicious shared files could be named Audit Report 2024, according to Microsoft.
Attackers also leverage the oft-used psychological tactic of urgency to lure users into opening malicious files, using file names such as Urgent:Attention Required and Compromised Password Reset to get people to take the bait.
With these highly sophisticated
BEC campaigns
that neither users nor traditional email security systems detect
on the rise
, Microsoft recommends that enterprises use
extended detection and response
(XDR) systems to query for suspicious activity related to BEC campaigns that use legitimate file-sharing services.
Such queries could include identifying files with similar-sounding or the same file names that have been shared with various users. Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection, according to Microsoft
Defenders also can use identity-focused queries related to sign-ins from VPS or VPN providers, or successful sign-ins from a non-compliant device, to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor, according to the post.

Last News

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft: Creative Abuse of Cloud Files Bolsters BEC Attacks