Stealing personal data information (‘name’, ‘Social Security number’, ‘credit card details’, etc.) for fraudulent activities is dubbed “identity theft.”
While these types of cybercrimes are often termed as “financial identity theft,” “medical identity theft,” and “criminal identity theft,” each having an impact that is specific to the victim.
Microsoft’s security analysts have recently observed campaigns in which phishers have been actively abusing file-hosting services for identity phishing.
Hackers Abusing Legitimate File Hosting Services
Microsoft’s cybersecurity team has identified a significant surge in sophisticated cyberattacks where threat actors are exploiting trusted file hosting platforms (“SharePoint,” “OneDrive,” and “Dropbox”) via “advanced defense evasion techniques.”
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
These threat actors specifically use “restricted-access mechanisms” and “view-only file permissions” to evade traditional security measures like “email detonation systems” and “multi-factor authentication (MFA).”
The attack chain typically begins when threat actors compromise a trusted vendor’s account, and then share malicious files using legitimate notification systems (like “no-reply@dropbox[.]com”) to target specific organizations.
.webp)
These shared files are often disguised with urgent or contextually relevant names (like “Audit Report 2024” or “IT Filing Support 2024”), that are configured with sophisticated restrictions.
Here below we have mentioned those restrictions:-
- They are accessible only to intended recipients.
- They require re-authentication through one-time passwords (OTP).
- They have time-limited access windows.
- They prevent file downloads.
This methodology primarily leads to “BEC attacks” that enable ‘financial fraud,’ ‘unauthorized data exfiltration,’ and ‘lateral movement across network endpoints.’
The threat actors exploit the “implicit trust” associated with “legitimate file-sharing services.”
They make use of these campaigns particularly effective at evading the security protocols while appearing as “routine business communications,” especially when the compromised sender is already whitelisted in the “Exchange Online policies” of the target organization.
In a sophisticated identity theft attack, when users access a “shared file,” they encounter a ‘multi-stage compromise process.’
Initially, they receive a verification prompt requesting their “email address,” followed by a seemingly legitimate “OTP” sent from a “spoofed Microsoft address” (“[email protected][.]com”).
After entering the “OTP,” users are presented with what appears to be a legitimate document preview containing a deceptive “View my message” link.
When clicked, this link redirects them to an “AiTM” phishing page. On this fraudulent page, users are manipulated into providing their account credentials (‘password’ and ‘Multi-Factor Authentication (MFA) response’), reads the Microsoft report.
Once obtained, all these compromised authentication tokens enable threat actors to launch secondary BEC attacks, where they can “impersonate legitimate users,” “access sensitive information,” and “potentially initiate fraudulent financial transactions” or further “spread the attack throughout the organization’s network.”
Recommendations
Here below we have mentioned all the recommendations:-
- Enable Conditional Access policies in Entra.
- Use identity-driven signals for sign-in evaluation.
- Protect with compliant devices and trusted IPs.
- Start with security defaults if needed.
- Implement continuous access evaluation.
- Use passwordless sign-in with FIDO2 keys.
- Turn on network protection in Defender for Endpoint.
- Implement Mobile Threat Defense for devices.
- Block malicious websites with Edge, and emails with Defender 365.
- Monitor suspicious activities in Entra ID Protection.
- Investigate suspicious sign-ins.
- Educate users on secure file-sharing risks.
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar