Researchers on Wednesday found that some applications do not validate the legitimacy of a vanity URL’s subdomain, but only validate the Universal Resource Locator (URI). As a result, threat actors can use their own SaaS accounts to generate links to malicious content that appears to be hosted by a company’s sanctioned Software-as-a-Service account.
In a blog post, researchers from Varonis detail how they were able to spoof links from Box, Google, and Zoom that demonstrate how attackers can use the spoofed URLs for phishing campaigns, social engineering attacks, reputation attacks, and malware distribution.
Phishing campaigns often have typos, fake links that are far too obvious, and other red flags that most individuals can identify with relative ease, said Corey O’Connor, director of products at DoControl. O’Connor was concerned that by simply changing the subdomain, a bad actor can create a link that appears completely legitimate.
“Negligent insiders continue to fall for less convincing phishing attempts,” O’Connor said. “This vulnerability widens the attack vector in SaaS, and does so in a very convincing way. It’s another example where SaaS security and insider risk need to be prioritized and more effectively managed by CISOs and practitioners respectively.”
Barry Ruditsky, senior vice president at SlashNext, said we this type of use case with our customers leveraging our API to identify cybercriminals using their cloud services to launch malicious URLs.
“This issue has become a significant problem for organizations,” Ruditsky said. “URL spoofing and hiding malicious URLs on trusted cloud services is a growing tactic with cybercriminals. Many security protection services do not have the technology to identify these malicious URLs. In fact, right now, we are tracking over 60,000 live zero-hour malicious URLs that are leveraging legitimate domains and SaaS environments, including Box.com, Zoom, Google Docs, and SharePoint services.”