Threat actors are taking their business email compromise (BEC) campaigns to the next level by merging social engineering tactics with the utilization of trustworthy, cloud-based file-hosting services, amplifying the authenticity of their attacks. These campaigns are surpassing common security measures and ultimately jeopardizing the identities of enterprise users.
In recent months, Microsoft has observed a surge in these hybrid campaigns that have been evolving over the past couple of years. Attackers are weaponizing legitimate file-sharing services like Dropbox, OneDrive, and SharePoint – platforms widely used by enterprises for collaboration – to perpetrate their malicious activities. This alert was highlighted by Microsoft Threat Intelligence, warning of the potential risks associated with these sophisticated cyberattacks.
The integration of social engineering techniques into these campaigns is key to their success. Threat actors are targeting trusted connections within a business user’s network and tailoring their lures around familiar topics of conversation. Through this strategy, they are effectively phishing credentials for business accounts, enabling them to carry out nefarious actions like financial fraud, data theft, and lateral movement to other endpoints.
Legitimate cloud services have become a weak link in enterprise security, with various threat actors, including advanced persistent threat (APT) groups, leveraging these services to deliver remote access Trojans (RATs), spyware, and other malicious software. By utilizing file-sharing services as their conduit, attackers can evade detection and maximize the impact of their malicious activities.
Microsoft outlined a common BEC attack scenario that begins with compromising a user within an organization. The attacker then leverages the victim’s credentials to upload a file on the company’s file-hosting service and shares it with individuals outside the organization who have established trust with the victim. By employing platforms like Dropbox, OneDrive, or SharePoint with restricted access, adversaries can circumvent detection systems and launch credential-harvesting operations with impunity.
Moreover, attackers are capitalizing on recipients’ trust in emails from known vendors, bypassing security measures by manipulating policies within collaboration products like Exchange Online. This tactic allows phishing emails linked to these attacks to go undetected, further emphasizing the effectiveness of these deceptive practices.
Once files are shared on the hosting service, the targeted individual receives a legitimate email notification to access the file securely, bypassing any protective barriers that may have otherwise intercepted suspicious messages. This notification acts as a trojan horse, facilitating the next stage of the attack campaign.
To evade detection further, attackers prompt users to verify their identities through familiar avenues, introducing urgency and leveraging psychological tactics to entice engagement with malicious files. The use of deceptive filenames enhances the credibility of these phishing attempts, increasing the likelihood of successful infiltration.
In response to these increasingly sophisticated BEC campaigns, Microsoft recommends that enterprises implement extended detection and response (XDR) systems to proactively identify suspicious activities associated with legitimate file-sharing services. By conducting queries to pinpoint anomalous file-sharing patterns and unusual sign-in events, organizations can strengthen their defenses against these evolving threats.
As threat actors continue to refine their tactics and exploit vulnerabilities in cloud-based services, it is imperative for enterprises to remain vigilant and implement robust cybersecurity measures to safeguard their sensitive information and protect their networks from exploitation.