Throughout 2021 there was a growing increase in cyber threats hosted on legitimate services like Microsoft Teams, OneDrive, SharePoint, and OneNote to deliver phishing campaigns. These domains’ trusted reputation enables cybercriminals to easily evade current detection technologies using domain reputation and blocklists like SEG, proxy, SASE, and endpoint security tools. Attackers use shared services to get around domain reputation technologies with increased frequency. Using mainstream, legitimate commercial infrastructure sites to avoid detection has been a successful tactic, and the growth in these threats continues in 2022.
It’s important to understand how these cybercriminals gain access to legitimate hosted domains. One popular tactic is account takeover. Once a cybercriminal has access to Microsoft 365 credentials from one company, they can initiate attacks against other companies, and those targets will have a sense of trust.
In the real-world example below, a fake login page is used to steal the initial credentials delivered through a spear-phishing campaign. The email address is blacked out, but what is most interesting about this fake login page is the URL. The URL is unique to the user. While the email is already pre-populated with the user’s name, it’s not visible in the URL, which could be easily identified by domain reputation tools and blocked. But in these new attacks, every single URL is unique, and most SEGS, domain reputation, URL filtering tools, and blocklists struggle to detect these highly sophisticated credentials stealing attacks.
Once the bad actor has access to Office 365 credentials, they will send emails to their targets using the trusted email and Microsoft One Drive or OneNote to deliver a P.O. or invoices from a trusted site. They might also choose to continue to steal more credentials for ransomware, data exfiltration, or malware injection at a later date.
As more threat actors leverage legitimate infrastructure and manipulate trusted brands, it’s becoming harder and harder to stop these phishing attacks and cybersecurity threats. Whether it’s from credential-stealing or legitimately purchased cloud services. Cybercriminals can employ phishing emails containing links to legitimate cloud providers – including AWS, Azure, Alibaba, and Google – hosting phishing sites. Regardless of how access to trust domains occurs, the consistent element in these attacks is the initial URL is legitimate to avoid detection. Once clicked, the URL is redirected to a phishing page hosted elsewhere.
Training users to detect these types of phishing attacks can be difficult. While it’s possible to identify illegitimate websites and other ploys, it’s harder to identify legitimate websites that are being manipulated. The best defense against these attacks is threat detection technology that can follow URL re-directs and examine each subsequent page’s contents rather than focusing singularly on the URL analysis or domain reputation analysis of only the initial page. SlashNext SEERTM technology AI SEER™ technology detects zero-hour phishing threats by performing dynamic run-time analysis on billions of URLs a day through virtual browsers and machine learning. SlashNext’s phishing defense services for email, browser, mobile, and APIs integrate with leading mobile endpoint management and I.R. services.
Watch the on-demand webcast of The H Files: Devious Microsoft365 Phishing Campaigns Using Legitimate Services – How hackers gain access to your business to see recent phishing campaigns exclusively on legitimate Microsoft services.
See how SlashNext can protect your organization from zero-hour phishing and cyber threats using trusted domains by starting today’s risk-free trial.