Microsoft Threat Intelligence reported that it has observed threat actors abusing legitimate file hosting services such as SharePoint, OneDrive and Dropbox with the aim of launching business email compromise (BEC) attacks.
In an Oct. 8 blog post, the Microsoft researchers said the threat actors send files with restricted access and “view-only” restrictions — files that typically can more easily circumvent standard security controls.
The researchers said they have noticed threat actors increasing these attacks since mid-April — tactics that let them steal credentials then plant malicious files into the victim’s file sharing app. The victims are then asked to re-authenticate, which takes them to the malicious site and the various BEC attacks that result in financial fraud, data exfiltration, and lateral movement.
“While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants,” wrote the researchers.
Stephen Kowski, Field CISO at SlashNext Email Security confirmed that his team has also seen a significant uptick in these sophisticated phishing campaigns over the past several months.
“These attacks leverage trusted file-sharing platforms, making them particularly challenging to detect and prevent using traditional methods,” said Kowski.
Security teams should focus on multi-layered defense strategies, Kowski said. Steps include implementing advanced browser-based detection technologies that can identify malicious content in real-time, regardless of its source. Teams should also use AI-powered phishing detection tools that analyze the context and content of shared files, said Kowski.
Ido Geffen, vice president of product at Oasis Security, also noted that his team has seen an increase of more sophisticated attacks that try to stay under the radar of traditional security tools. Geffen said his team has also seen a clear trend in which attackers broaden their campaigns by leveraging legitimate non-human identities, such as service accounts and APIs used to connect third-party SaaS applications, which traditional security tools often overlook.
“These accounts often have elevated privileges and are less closely monitored, making them a prime target for exploitation,” explained Geffen. “Security teams need to adopt a more comprehensive identity security approach that includes monitoring service accounts and other automated connections, as they are increasingly at the center of attacks aiming for financial fraud, data exfiltration, and lateral movement.”
