Darktrace, a leading AI-powered threat detection company, identified a sophisticated phishing attempt targeting one of its customers in January 2024. The attack exploited the legitimate cloud service Dropbox.
Algorithm Of The Attack
The attackers used a legitimate email address, “no-reply@dropbox[.]com,” which Dropbox commonly uses for automated notifications.
The email content was crafted to appear legitimate. It likely contained a link to a PDF document supposedly shared by a partner or colleague of the recipient.
Clicking the embedded link within the PDF would have led the user to a malicious website, potentially disguised as a legitimate login page.
Attack Breakdown
On January 29, 2024, the user received a seemingly legitimate email from Dropbox reminding them to open a previously shared PDF, which was sent on January 25, 2024.
- Darktrace/Email identified the email as suspicious and moved it to junk, preventing the user from clicking a potentially malicious link within the PDF.
Darktrace/Email and Darktrace/Apps, successfully identified the suspicious email by analyzing
- Anomalous Behavior: The email, despite originating from a legitimate address, was sent from an unknown entity and didn’t align with the customer’s usual email communication patterns.
- Link Analysis: Darktrace likely analyzed the embedded link within the PDF, identifying it as redirecting to a suspicious domain not previously encountered within the customer’s network.
Despite Darktrace’s intervention, the user opened the suspicious email and accessed the PDF.
On January 31, 2024 Darktrace observed a series of suspicious logins to the compromised Microsoft 365 account:
- Logins from unusual locations never used before.
- Logins originating from IP addresses associated with VPN services (ExpressVPN, HideMyAss).
- Interestingly, the attackers used valid MFA tokens, suggesting they bypassed the customer’s MFA policy (potentially through user error).
The attackers created a new email rule within the compromised account to automatically move emails from the organization’s accounts team to a less-monitored folder.
The attackers sent emails impersonating the legitimate account holder, using urgency-inducing subject lines like “Incorrect contract” and “Requires Urgent Review.”
These tactics aimed to trick recipients into further actions, potentially compromising additional accounts.
“Had RESPOND been enabled in autonomous response mode at the time of the attack, it would have quickly moved to log out and disable the suspicious actor as soon as they had logged into the SaaS environment from an unusual location, effectively shutting down this account takeover attempt at the earliest opportunity.” By Ryan Traill, the threat content lead.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.