Cybercriminals are abusing cloud-based collaboration tools to improve the elusiveness and efficacy of their phishing campaigns — including one app that threat actors have abused so extensively that hyperlinks to its cloud-based service almost qualify to be blocked as a malware threat, according to one email security company.
In a blog post Thursday, researchers at Avanan reported scammers have been sending emails containing a link to a page from note-taking app Milanote; this page leads to a second link that, if clicked, directs users to a phishing page. In fact, Avanan reported that out of the last 1,430 most recent emails it observed citing a Milanote reference or link is used, 95.5% of them were created for phishing purposes.
Gil Friedrich, co-founder and CEO of Avanan, told SC Media in an interview that there are thousands of software-as-a-service applications that phishing scammers can potentially choose from to help mask their phishing schemes, knowing that these services are typically whitelisted by email security solutions. These actors avoid detection by “nesting [their] payloads in deeper layers within legitimate services, fooling…static scanners,” the Avanan post explains.
Friedrich said he can’t recall ever seeing a more disproportionate ratio of legitimate links to malicious links when investigating a cloud-based service.
To categorize the app as malware, “our threshold is like something like 99-point-something percent,” said Friedrich. “It's not there yet, but it's close.” A more typical spike in abuse might involve malicious actors leveraging brands such as Amazon or FedEx during prime shopping seasons — and even then only around 30% of the messages would actually be fraudulent, he said.
Fellow email security firm Cofense has also noticed observed attacks against Milanote.
“Throughout the month of June, Cofense has seen Milanote abused in a variety of credential phishing campaigns,” said Joseph Gallop, intelligence analysis manager at Cofense. “Often, Milanote links will be observed in multiple different phishing campaigns on the same day.”
In its blog post, Avanan said “it’s easy to imagine this attack method reaching other popular cloud-based collaboration apps, potentially causing major damages to companies of all sizes and industries.” Indeed, Gallop from Cofense noted that Milanote abuse “is consistently accompanied by abuse of similar cloud services and collaborative platforms.”
“In June, Milanote-based credential phishing links were most commonly observed in conjunction with Glitch.me and OneDrive links,” Gallop continued. “The attackers specifically use these services to build ‘mediator’ pages which lead to actual phishing/credential harvesting pages.”
SC Media reached out to Melbourne, Australia-based Milanote for comment and received the following response from the company: "Approximately two months ago we noticed a sharp increase in the number of published boards that were being reported by users containing phishing content. As such, we implemented a system that leverages machine learning and reviews to detect published boards containing phishing contents. Since the release of this over a month ago, phishing attempts have almost stopped completely and we haven't received a single user reported phishing attempt."
To guard against such threats, Friedrich suggested that organizations might want to block links to the Milenote cloud-based service, especially if they don’t have an advanced email security solution. "Because it's much more likely to be malicious than your own employees actually using it,” he said.
In the example provided on the Avanan website, cybercriminals sent recipients an email containing a purported invoice for a vaguely referenced project proposal. One telltale hint that the senders were likely up to no good is that an invoice would be an unusual item to send someone using a workplace collaboration and note-taking application.
So that actually made me think that you know it's not this sophisticated hacking group,” said Friedrich. Rather, it’s more of an opportunistic attack in which attackers leverage platform that perhaps isn’t performing adequate security checks, he explained.
Friedrich also recommended that cloud-based platforms like Milanote take steps to make it easy for individuals to report phishing attacks via email or phone, and have an incident response team ready to block any malicious links and, ideally, the actors’ themselves.
“As soon as the price for the hackers is increased because they now need to create another account… they move to the next platform,” Friedrich said.
“Abuse of public platforms is very common among spammers and malware authors," said Jérôme Segura, director of threat intelligence at Malwarebytes. "The idea is to use those placeholders as a free and disposable commodity. By the time malicious links are reported, the threat actor has already created new ones allowing them to continue to phish victims. Defenders can still report this activity and work with those platforms to help identify this abuse. For example, it could be the same user account from a specific location that is behind these phishing schemes. That may allow to ban the user and share the information with law enforcement to take action when possible.”