In a rapidly growing business email compromise (BEC) campaign, threat actors have been using messages sent from Dropbox to steal Microsoft user credentials. This campaign has been able to evade natural language processing (NLP)-based security scans, indicating the evolving nature of these attacks.
Researchers at Check Point Harmony have observed over 5,000 of these attacks in just the first two weeks of September. The attacks involve fake login pages that lead victims to a credential-harvesting site. Dropbox was informed of the campaign’s existence on September 18.
This attack follows the latest iteration of BEC, called BEC 3.0, where attackers exploit legitimate sites that are trusted and familiar to end users. Other popular sites used in BEC 3.0 attacks include Google, QuickBooks, and PayPal. The use of these legitimate sites makes it incredibly challenging for email security services to detect and for end users to identify.
These attacks pose a significant threat because they are able to bypass both NLP technology and URL scanning used by email security technology to flag suspicious messages. The use of legitimate language from these services makes it difficult for NLP to identify any abnormalities. Similarly, attempting to flag suspicious URLs is futile since the links used in the messages redirect to a legitimate Dropbox site.
Researchers have noted that the messages in this campaign appear to come directly from Dropbox, informing users that they have files to download. Clicking on the link provided leads potential victims to another page that is hosted on a legitimate Dropbox URL but themed as OneDrive. If users do not pick up on the discrepancy, they are directed to a phishing site that mimics a Microsoft SharePoint login page, where they are asked to enter their credentials. This final page is hosted outside of Dropbox.
This case is a clear example of BEC 3.0, which introduces cloud services into the attack. BEC attacks have historically spoofed or impersonated legitimate entities, but BEC 3.0 creates attacks that appear to originate from trusted services, making them extremely challenging to identify and stop.
To mitigate BEC 3.0 attacks, organizations can take several steps. First, they should educate users on common tactics and encourage them to pause and evaluate suspicious activity before clicking on emails from unfamiliar sources or unsolicited links. For example, noticing the discrepancy between receiving an email from a Dropbox domain but being directed to a OneDrive account page should alert users to the malicious nature of the campaign.
Additionally, deploying a comprehensive security solution that includes document- and file-scanning capabilities, AI defenses, and a robust URL-protection system can help prevent BEC 3.0 campaigns. Conducting thorough scans and emulating webpages can enhance security measures.
It is essential for businesses to take note of the growing threat of BEC attacks. In 2022, the FBI reported over 21,000 BEC complaints, resulting in adjusted losses of more than $2.7 billion. BEC attacks have cost businesses worldwide over $50 billion in the last decade. With these attacks increasing in frequency and intensity, it is crucial for organizations to be proactive in implementing effective security measures to protect against BEC campaigns.