Mattias Deny, VP Managed Security Services EMEA at Trustwave, outlines how attackers are using multi-stage phishing attacks targeting online cloud services.
Just as email has been the quintessential business solution for decades, it has long been the attack vector of choice for cyber criminals. The versatile tool is used by threat actors for everything from delivering malware to enacting devious social engineering campaigns such as Business Email Compromise.
Credential phishing is one of the most dangerous and effective email attack tactics, with successful attacks enabling criminals to gain direct access to account credentials that will enable them to covertly take over the email account or infiltrate the network.
This already potent attack technique has been strengthened by the move to the cloud. Cloud-based multi-user collaboration and productivity tools present the opportunity for attackers to host and share malicious files to escalate their attack, all the while hidden within the reputable cloud domain where users expect everything to be safe and secured.
We have also encountered an increasing number of instances where attackers seek to exploit the opportunity presented by the cloud in multi-stage phishing attacks.
Threat actors are becoming increasingly adept at using the trusted infrastructure of the cloud to evade many standard security measures to reach their victims and harvest critical account credentials.
These attacks commence with a standard phishing email, usually in the form of an invoice PDF or similar actionable request.
PDF documents laced with hidden malicious code have been a common attacking tool for many years, and these attempts are generally easily spotted by email security solutions and firewalls, particularly if the attacker is using a previously known malware variant.
However, rather than simply sending over an attachment, this new generation of multi-stage attacks send a link to the document on a legitimate cloud service.
Ubiquitous solutions such as OneDrive, SharePoint and OneNote are common choices, as well as lesser known services and collaboration tools.
Sending documents in this manner has become standard practice, so there is little reason for an employee to have second thoughts about clicking the link. Worse, the email contains a link to a completely legitimate cloud hosting service so there is no threat signature for most standard email security solutions to detect.
Turning convenience into a weapon
Accessibility has always been one of the biggest selling points of the cloud but becomes a major liability here.
Most hosting and collaboration cloud services enable users to open PDFs and other documents within the browser, without the need to run the relevant program – a useful function for saving time or enabling access for users lacking the right software.
However, in the case of a PDF, reading it in the browser means the user will not be warned when they click the malicious link and are directed away to the phishing site.
A warning will be displayed when the document is opened through the Adobe program, but workers have become used to doing things through their browsers and may not feel the need to fully open the document.
As with other deceptive email techniques, savvier criminals will go to the effort of doing their research and creating hand-crafted emails that mimic the identity they are assuming – for example including real logos, names and addresses.
Alternatively, they may also simply opt to generate the emails directly using the function provided by cloud services.
The most dangerous and difficult to detect variant of this attack sees threat actors using compromised Office 365 corporate accounts that were taken over in previous credential phishing attacks.
With the email coming from a legitimate address and linking to a cloud service, there will be no reason for either employees or standard security solutions to suspect anything is amiss.
Office 365 accounts can also be used to share documents with the “Share with Anyone” option, enabling them to send files far and wide regardless of their level of authorisation.
Keeping up with evolving threats
Cyber criminals are rapidly evolving their email attack tactics to exploit fundamental vulnerabilities in common cloud services.
By conducting a multi-level attack that transitions from phishing emails to the cloud, attackers can neatly sidestep many traditional defensive measures.
After the initial phase of credential theft, threat actors can also exploit the cloud to escalate their attack, sending even more seemingly legitimate phishing emails and expanding their reach.
These attacks can be countered if organisations take their own multi-stage approach to security. The first step is to harden email security to mitigate the chances of deceptive messages coming through.
Defences such as Secure Email Gateways (SEGs) can be configured to identify and block emails that show common indicators of spoofing, such as misaligned sender IDs.
The majority of multi-stage phishing attacks still rely on these standard deceptive techniques for the first phase, so stronger email defences will greatly reduce their chances of reaching the intended victims.
Organisations should look at their cloud solutions and ensure they have configured settings to restrict misuse by attackers that have stolen account credentials.
Functions such as SharePoint’s “Anyone” option can be disabled, preventing the intruder from escalating their attack by sending malicious documents out using a compromised account.
By taking a multi-pronged approach to both reduce the chances of a successful phishing attack and mitigate the impact of a compromised account, organisations can keep pace with adversaries and avoid falling victim to the latest evolution in email attacks.