A novel phishing marketing campaign leveraged legit Dropbox infrastructure and efficiently bypassed multifactor authentication (MFA) protocols, new analysis from Darktrace has revealed.
The assault highlights the rising exploitation of legit fashionable providers to trick targets into downloading malware and revealing log in credentials.
The findings additionally present how attackers have gotten adept at evading commonplace safety protocols, together with electronic mail detection instruments and MFA.
Talking to Infosecurity, Hanah Darley, Head of Risk Analysis at Darktrace, famous that whereas it’s common for attackers to use the belief customers have in particular providers by mimicking the conventional emails they obtain, on this case, the risk actor(s) went a step additional and leveraged the legit Dropbox cloud storage platform to conduct their phishing assaults.
The Attackers Leveraged Dropbox Infrastructure
The attackers focused a Darktrace buyer on January 25, 2024, with 16 inner customers on the group’s SaaS setting receiving an electronic mail from ‘no-reply@dropbox[.]com.’ This can be a legit electronic mail handle utilized by the Dropbox file storage service.
The e-mail contained a hyperlink that will lead the consumer to a PDF file hosted on Dropbox, which was seemingly named after a associate of the group.
This PDF file contained a suspicious hyperlink to a site that had by no means beforehand been seen on the shopper’s setting, named ‘mmv-security[.]prime.’
The researchers famous that there’s “little or no to tell apart” malicious or benign emails from automated emails utilized by legit providers resembling Dropbox. Subsequently, this strategy is efficient in evading electronic mail safety instruments and convincing targets to click on a malicious hyperlink.
This electronic mail was detected and held by Darktace’s electronic mail safety device. Nonetheless, on January 29 a consumer acquired one other electronic mail from the legit no-reply@dropbox[.]com handle, reminding them to open the beforehand shared PDF file.
Though the message was moved to the consumer’s junk file, the worker went on to open the suspicious electronic mail and comply with the hyperlink to the PDF file. The inner gadget related to the malicious hyperlink mmv-security[.]prime a couple of days later.
This hyperlink led to a pretend Microsoft 365 login web page, designed to reap the credentials of legit SaaS account holders.
The researchers added that the strategy of impersonating trusted organizations like Microsoft is an efficient approach of showing legit to targets.
Attackers Efficiently Bypassed MFA
On January 31, Darktrace noticed a number of suspicious SaaS logins from a number of uncommon places that had by no means beforehand accessed the account.
Subsequent uncommon logins on February 1 had been related to ExpressVPN, indicating that the risk actors used a digital personal community (VPN) to masks their actual location.
These logins appeared to make use of a sound MFA token, suggesting the attackers had efficiently bypassed the group’s MFA coverage.
The researchers consider the worker could have unknowingly authorised an MFA authentication request of authenticate on their very own gadget as soon as they’d compromised the credentials.
“By utilizing legitimate tokens and assembly the mandatory MFA necessities, risk actors are sometimes in a position to stay undetected by conventional safety instruments that view MFA because the silver bullet,” the researchers wrote.
Regardless of the attackers bypassing MFA with legit credentials, the group’s safety crew had been nonetheless alerted to the suspicious exercise after figuring out surprising exercise on the SaaS accounts.
Darley informed Infosecurity that the incident demonstrates that organizations can now not depend on MFA because the final line of protection in opposition to cyber-attackers.
“MFA bypass, as on this case, is now a frequent tactic utilized by attackers – particularly given its success in granting entry to shared sources resembling SharePoint recordsdata which may be exploited,” she outlined.
Risk Actor Reveals Persistence
Shortly after the MFA bypass, Darktrace noticed one other uncommon login to the SaaS account, utilizing the HideMyAss VPN service.
On this event, the risk actor created a brand new electronic mail rule on the compromised Outlook account, which was supposed to right away transfer any emails from the group’s accounts crew on to the ‘Dialog Historical past’ mailbox folder.
The researchers stated this strategy is designed to keep away from detection – by shifting their malicious emails and any responses to them to much less generally visited mailbox folders.
Moreover, the actor despatched follow-up emails with topic strains resembling “Incorrect contract” and “Requires Pressing Assessment.”
“This probably represented risk actors utilizing the compromised account to ship additional malicious emails to the group’s accounts crew so as to infect extra accounts throughout the shopper’s SaaS setting,” famous the researchers.
Phishing Assaults Are Focused and Subtle
The researchers famous that it’s “comparatively easy” for attackers to abuse legit third-party options like Dropbox for phishing assaults, quite than counting on their very own infrastructure.
Darley commented: “The case research highlights simply how refined cybercriminals have gotten in performing staged assaults. The emails themselves got here from a legit ‘no-reply’ handle from Dropbox that will typically ship notices or hyperlinks to shoppers.”
“The hyperlink contained within the electronic mail was additionally to a legit Dropbox storage endpoint, the place a malicious file was being hosted. It was disguised as a associate doc, making the emails seem legit,” she added.
Generative AI Assists Attackers
Darley famous that generative AI applied sciences are having a big impact in enabling attackers to craft extra refined phishing messages.
Darktrace’s 2023 Finish of 12 months Risk Report discovered that over 25% of phishing circumstances noticed the second half of 2023 contained greater than 1000 characters, which is essentially because of the capabilities offered by generative AI.
“These aren’t ‘payload alone’ emails with a few phrases and a dodgy hyperlink, however as a substitute are extremely crafted and wordy. There are additionally circumstances of enhanced social engineering whereby attackers will drop into present dialog threads, impersonating colleagues or recognized contacts, making an attempt to imitate the tone of correspondence,” defined Darley.
“These cases of upper sophistication are being enabled by generative AI, which is giving unhealthy actors extra time to spend strategizing on wider scale assaults,” she added.
Picture credit score: Nopparat Khokthong / Shutterstock.com
