Phishing Attack Used Box to Land in Victim Inboxes

A phishing attack targeting government and security organizations used a legitimate Box page with Microsoft 365 branding to trick victims.

A newly discovered credential phishing campaign used a legitimate Box webpage and exploited widespread trust in Microsoft 365 to capture victims credentials in a convoluted attack chain.
The team at Armorblox discovered this threat back in June and say it affected city officials, as well as government and cybersecurity organizations. Attackers chose to host the phishing site on a legitimate Box page, which security experts say helped the emails land in victims inboxes.
How the attack unfolded: The messages claimed to come from a third-party vendor and asked readers to view a sensitive financial document. The attackers created a sense of urgency by stating this delivery will only be available for 10 days and added an air of legitimacy with information about another legitimate third-party website called SecureOnlineDocs[.]com.
Victims who clicked the link were redirected to a page hosted on Box, which contained another document that claimed to be hosted on OneDrive. If a victim clicked the link to access this document, they were sent to a final phishing page built to resemble the Office 365 login portal.
There, they ask you to log in with your corporate credentials and then they walk away with it, says Arjun Sambamoorthy, co-founder and head of engineering at Armorblox.
Attackers were careful to make the scam seem real. All of the emails had a sender name and domain from a legitimate third-party vendor. The domain, tidewaterhomefunding[.]com, belongs to a Virginia-based home mortgage lending company. Its possible attackers gained a Tidewater Home Funding employees credentials and used that persons account to launch the attacks.
By hosting the phishing page on Box, the attackers used the reputation of a popular domain to bypass email security filters. Most security tools wouldnt flag a Box page, Sambamoorthy points out.
The phishers are getting really smart these days, and theyre actually leveraging the trust people have established with hosting sites like Box, Dropbox, [Microsoft] 365, Google Drive, and hosting phishing attacks there, he says, noting the team has seen an increase in attacks hosted on Box and Dropbox to fly under security filters radar.
Despite this, careful users may notice unusual branding. The Box page hosts a document that claims to be shared via OneDrive, with plenty of Microsoft branding to try and lull victims into a sense of security: Phrases like Secured by OneDrive, OneDrive for Business, and Powered by Office 365 were placed throughout the page. However, Sambamoorthy says this is strange.
It doesnt make sense, he says. I dont think someone would actually host a link to OneDrive or Google Drive in Box, because theyre all competing services themselves. This is very unusual, for something like this to happen.
The team also noticed
the link that brought victims to the final Microsoft 365 login page — nantuckettravel[.]icu — was created on June 15, 2020. Because it was so new, the link could bypass security filters configured to block known back domains. These so-called zero-day links are becoming less common, Sambamoorthy notes, because theyre usually taken down quickly. Todays attackers typically compromise a web server when they want to create a phishing site.
Because they relied on the Box domain, however, the attack already had a higher likelihood of arriving in victims inboxes. This complicated attack chain improved the phishers chances of flying under the radar — at least, until the attack was reported to the security industry.
When they detected the campaign, Armorblox reported nantuckettravel[.]icu to the Anti-Phishing Working Group (APWG), which collects and analyzes lists of credential collection sites commonly used in phishing attacks. The site was also added to the safe browser list at Google, so those who access it via established browsers will know its a malicious page. Armorblox also alerted Tidewater Home Funding to the abuse of an employees legitimate email account.
For those who want to keep a closer eye out for attacks like these, Sambamoorthy advises watching for strange website redirection. A link you click in Box, for example, should not ask for Microsoft credentials or send someone to another services login page. It should go to the Box authentication page and ask for Box credentials or company credentials, he says.
The webpage itself can also raise red flags. If a Box webpage is covered in Microsoft 365 branding, the visitor has reason to be suspicious.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Phishing Attack Used Box to Land in Victim Inboxes