A new phishing campaign used legitimate infrastructure Dropbox and successfully bypassed multi-factor authentication (MFA) protocols.
While email has long been the vector of choice for conducting phishing attacks, hackers and their tactics, techniques, and procedures (TTPs) are adapting and evolving.
So it’s no surprise that malicious use of other popular services has become their favorite target in recent years, including the Dropbox cloud storage platform we tested here.
With over 700 million users, Dropbox has established itself as a leading cloud storage service known for the simplicity of storing and sharing files. But every coin has its downside and a loophole is quickly exploited by those who track them. Dropbox has already been the subject of a phishing attack in 2022,
which allowed hackers to steal multi-factor authentication codes. They were able to steal 130 of Dropbox’s GitHub repositories.
Leveraging Dropbox’s legitimate infrastructure, hackers used fake emails addressed to their targets, inviting them to unknowingly download malware or reveal sensitive information such as login credentials.
Targeted attack on Dropbox infrastructure using fake emails and fraudulent links
It was the British cybersecurity company, Darktrace, which detected a malicious attempt to use Dropbox as part of a phishing attack in January 2024, when employees of one of its clients received an email seemingly harmless email from a legitimate Dropbox address.
These 16 users have in fact received an email from “ [email protected] “, a legitimate email address used by the file storage service Dropbox.
The email contained a link that took the user to a PDF file hosted on Dropbox, which apparently bore the name of a partner of the organization.
This PDF file contained a suspicious link to a domain that had never been seen before in the client’s environment, named ” mmv-security[.]top “.
Researchers at Darktrace noted that there is “ very little that allows us to distinguish » malicious or benign automated emails used by legitimate services such as Dropbox. Therefore, this approach is effective in evading email security tools and convincing targets to click on a malicious link.
This email was detected and isolated by Darktace’s email security tool. However, on January 29, a user received another email from the legitimate address [email protected], reminding him to open the previously shared PDF file. Although the message was moved to the user’s junk file, the employee opened the suspicious email and followed the link to the PDF file. A few days later, the internal device connected to the malicious mmv-security.top link.
This link led to a fake Microsoft 365 login page, designed to collect the credentials of legitimate SaaS account holders.
The researchers added that impersonating trusted organizations like Microsoft is an effective way to appear legitimate in the eyes of targets.
Hanah Darley, head of threat research at Darktrace, adds that bypassing multi-factor authentication (MFA) is also “ a tactic frequently used by attackers, particularly because it provides access to shared resources such as SharePoint files, which can be exploited “. This incident shows that organizations can no longer rely on MFA as the last line of defense against cyber attackers.
Hackers increasingly effective and insistent in increasingly sophisticated and targeted phishing attacks
After bypassing MFA, another method is to use a compromised email account to send corrupted emails. It was a suspicious connection via VPN that alerted Darktrace researchers.
The threat actor then created an email rule on the hacked Outlook to send all emails from the accounting team to the “Conversation History” folder.
This method aimed to evade vigilance by hiding fraudulent emails and possible responses.
The actor also sent incentivizing emails with subject lines like “Incorrect Contract” or “Requires Urgent Review.”
“ These are likely threat actors using the compromised account to send further malicious emails to the organization’s accounts team to infect other accounts in the customer’s SaaS environment “, explain the researchers, adding that it is ” relatively simple »
for hackers to use legitimate services like Dropbox to host malicious files.
According to Hanah Darley, this case shows how sophisticated cybercriminals are becoming in staging attacks. The emails themselves came from a legitimate address with no response from Dropbox, which typically sends notices or links to customers.
She also highlighted the importance of generative AI for designing more sophisticated phishing emails.
Darktrace’s 2023 end-of-year report found that more than a quarter of phishing cases in the second half of 2023 had more than 1,000 characters, thanks to generative AI.
“ These are not single payload emails with a few words and a questionable link, but rather very elaborate and detailed emails. There are also cases of enhanced social engineering in which attackers slip into existing conversations, impersonate known colleagues or contacts and attempt to imitate the tone of the correspondence “, she added, noting that the help of AI gives hackers more time to refine their attacks and carry them out on a larger scale.
Source : Infosecurity Magazine, Darktrace
Dropbox
Online storage
release date: not available
0