Microsoft Sees Increase in Use of Legitimate File Hosting Services in Business Email Compromise Attacks

• According to Microsoft, more and more threat actors are using legitimate file hosting services such as OneDrive, Dropbox, and SharePoint to conduct business email compromise (BEC) attacks.
• Since these attacks use legitimate services, it's easier for the malware to fool the security tools.
• Once a user's account is compromised, it's used to run more such BEC attacks, like a snowball effect.

Microsoft has noticed an increase in the use of legitimate file hosting services such as OneDrive, Dropbox, and SharePoint in attacks that target business emails since April 2024. This method is also known as living-off-trusted sites (LOTS).

By using a legitimate service, the threat actors can easily blend in their traffic, and since the security tools are familiar with those services and find them trustworthy, they lower their guards, not realizing that malware is sneaking in as well.

This campaign mostly targets restricted files such as the ones that are view-only because if the file is downloadable, the user might find the malicious URL embedded in it.

Chronology of the Attack

• The attack starts with the target receiving a phishing email containing the malicious file.
• When they try to access that file, they are redirected to verify their identity by entering their email address, and an OTP is sent to their email account.
• Once the authorization is done, the victim is prompted to click on another link to view the actual contents of the file.
• However, this link leads them to an adversary-in-the-middle (AitM) phishing page which steals their passwords and two-factor authentication tokens.

Credits: Microsoft

It doesn't end here. Once the account of the victim is compromised, it can be used to conduct more malicious campaigns including financial fraud, phishing scams, and business email compromise (BEC) attacks.

While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants.' -Microsoft Threat Intelligence team

The timing of this report is interesting as it comes less than a year after Sekoia launched a new AitM phishing kit named Mamba 2FA.

It's a phishing-as-a-service (PhaaS) kit that helps other smaller threat actors run similar email phishing campaigns. Priced at $250, this kit has been in active use since November last year.

Microsoft Is Serious about Its Security

It looks like Microsoft is really paying attention to the security of its products and services lately. It recently released a bunch of security fixes, addressing 118 vulnerabilities.

Out of these 118 flaws, 3 were rated critical, 2 were rated moderate and 113 were rated important. Two of these vulnerabilities were also under active exploitation:

• CVE-2024-43572 Microsoft Windows Management Console Remote Code Execution Vulnerability
• CVE-2024-43573 Microsoft Windows MSHTML Platform Spoofing Vulnerability

The company did not reveal how they were being exploited and by whom but it has come under the radar of the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It has listed these two in its Known Exploited Vulnerabilities (KEV) catalog and has ordered federal agencies to fix them by October 29, 2024.

The post Microsoft Sees Increase in Use of Legitimate File Hosting Services in Business Email Compromise Attacks appeared first on The Tech Report.