Introduction
Microsoft has identified a significant surge in cyber attack campaigns targeting popular file hosting services such as SharePoint, OneDrive [1] [2] [3] [4] [5] [6] [7] [8], and Dropbox [1] [2] [3] [4] [5] [6] [7]. These platforms [1] [4] [6], commonly used in corporate settings, are being exploited by cybercriminals to execute Business Email Compromise (BEC) attacks. The primary aim of these attacks is to compromise identities and devices [4], leading to severe consequences like financial fraud and data exfiltration.
Description
Microsoft has reported a significant increase in cyber attack campaigns targeting widely used file hosting services such as SharePoint [1] [4], OneDrive [1] [2] [3] [4] [5] [6] [7] [8], and Dropbox [1] [2] [3] [4] [5] [6] [7]. These platforms [1] [4] [6], frequently utilized in corporate environments [4], are being exploited by threat actors employing evasion tactics to facilitate Business Email Compromise (BEC) attacks. The primary objective of these attacks is to compromise identities and devices [4], leading to serious issues such as financial fraud and data exfiltration. Attackers are leveraging a technique known as living-off-trusted-sites (LOTS) [7], which allows them to blend malicious activity into regular network traffic and bypass traditional security defenses [7].
Since mid-April 2024 [7], attackers have been using these services to steal organizational credentials and conduct further malicious activities [1]. The appeal of these platforms lies in their familiarity and trustworthiness, which helps attackers evade detection. The typical attack scenario begins with the compromise of a user within an organization. Attackers often initiate BEC attacks through phishing emails containing links to files hosted on these trusted services, which are frequently configured to “view-only” mode. This setting complicates detection by obscuring embedded malicious URLs. Victims are often prompted to enter their credentials and multifactor authentication (MFA) tokens [3], which attackers then hijack for unauthorized access [3]. Once a targeted user attempts to access the shared file, they are led to a phishing page designed to capture their login information. Psychological tactics [1], such as creating a sense of urgency, are frequently employed to entice users into opening malicious files, often disguised with deceptive file names suggesting immediate action is required [1]. These documents may also contain links to malicious sites [2], where victims can inadvertently share their login information or download malware [2].
Attackers often compromise cloud hosting accounts by purchasing them on the black market or obtaining login credentials through various means [2]. By employing sophisticated social engineering tactics [7], they create convincing phishing schemes that frequently evade detection, ultimately compromising enterprise user identities [1]. The use of familiar conversation topics in phishing lures increases the likelihood of success [1], as users are more inclined to trust emails from known vendors [1]. Compromised accounts can be used to move laterally within organizations [6], expanding the attack’s reach and targeting trusted vendors or partners first [6].
Microsoft’s Threat Intelligence team emphasizes that while these campaigns are generic and opportunistic [7], they utilize advanced social engineering techniques and complex methods to evade detection. The observed tactics show a rise in defense evasion techniques [5], with attackers configuring file sharing to limit access and embedding time-sensitive view links to complicate file analysis [5]. Additionally, the cybersecurity firm Sekoia has highlighted the rise of the Mamba 2FA phishing kit [6], a phishing-as-a-service tool actively used since November 2023 [6]. This kit allows attackers to bypass non-phishing-resistant multi-factor authentication by impersonating Microsoft 365 login pages [6], automating phishing campaigns using HTML attachments that appear as legitimate requests [6], and sending stolen credentials directly to attackers via Telegram [6].
To combat these evolving threats [3], Microsoft is actively addressing malicious users violating the Microsoft Services Agreement, particularly in relation to SharePoint and OneDrive [3]. The company collaborates with third-party services like Dropbox to share threat intelligence and protect customers [3]. Organizations are advised to implement robust security measures [3], including extended detection and response (XDR) systems to monitor for suspicious activities related to file-sharing services [1], conditional access policies for improved identity security [5], and passwordless sign-in options [5]. Employing network protection measures to block access to known malicious domains and IP addresses is also crucial [5]. Leveraging Microsoft Edge in conjunction with Microsoft Defender SmartScreen can help automatically identify and block malicious websites associated with these phishing campaigns [8]. By understanding these tactics and implementing recommended mitigations [8], organizations can enhance their protection against sophisticated cyber attack campaigns and safeguard their digital assets [8].
Conclusion
The rise in cyber attacks targeting file hosting services underscores the need for heightened vigilance and robust security measures. Organizations must prioritize the implementation of advanced detection systems, conditional access policies [3] [5], and network protection strategies to mitigate these threats. As cybercriminals continue to evolve their tactics, collaboration between companies like Microsoft and third-party services remains crucial in sharing threat intelligence and safeguarding digital assets. By staying informed and proactive, organizations can better protect themselves against the ever-evolving landscape of cyber threats.
References
[1] https://www.darkreading.com/cyberattacks-data-breaches/microsoft-creative-abuse-cloud-files-bec-attacks
[2] https://www.techradar.com/pro/security/microsoft-warns-top-file-hosting-services-hijacked-for-email-scams
[3] https://news.cloudsek.com/2024/10/phishing-attacks-increasingly-use-sharepoint-and-onedrive-to-bypass-security-microsoft-reports/
[4] https://krofeksecurity.com/hackers-exploiting-file-hosts-in-email-scams/
[5] https://www.threatintelreport.com/2024/10/09/techniquestacticsprocedures/file-hosting-services-misused-for-identity-phishing-microsofts-analysis/
[6] https://cybermaterial.com/microsoft-warns-of-attacks-via-file-hosting/
[7] https://thehackernews.com/2024/10/microsoft-detects-growing-use-of-file.html
[8] https://www.forbes.com/sites/zakdoffman/2024/10/09/new-microsoft-windows-10-windows-11-warning-for-2-billion-google-chrome-users/
