Cyber criminals are constantly coming up with new ways for their phishing pages and other online scams to avoid detection by cloud storage and email security products. As part of its ongoing Blox Tales series, cloud-based office security platform Armorblox has published a new blog post detailing a recent credential phishing attempt its researchers observed when attackers have used the storage service. in the Box cloud to host your phishing pages. The credential phishing attempt began with an email claiming to be from a third-party provider asking users to view a financial document. When a user clicked the link in the email, it took them to a page hosted on Box that had a document that claimed to be hosted on OneDrive with another link to access the document. Clicking the OneDrive link redirected users to the final credentials phishing site which was designed by the cybercriminals behind the campaign to look like the official Office 365 login portal with footer text. page page designed to create a sense of urgency by informing users that the link in the email will only be active for a limited time.
Bypassing security checks
The email from this campaign was able to bypass existing email security controls because it did not follow the principles of traditional phishing attacks. For starters, the sender's name and domain make the email appear to be coming from a legitimate third-party provider's account, allowing it to pass all authentication checks. The email domain (tidewaterhomefundingcom) is owned by a legitimate lending company in Virginia, and the attackers may have first obtained the credentials of Tidewater Home Funding employees before launching their campaign. With the first page of the attack stream hosted on Box, the campaign took advantage of the cloud storage provider's reputation to bypass the filters used to block known bad domains. The fake OneDrive page also included numerous Microsoft branding to create a false sense of security for potential targets. At the same time, the Box-hosted web page and the final Office 365 phishing site used legitimate-appearing domains to avoid manual checks that employees might perform when opening emails. This isn't the first time, and it won't be the last time, that cybercriminals have devised new ways to bypass email security controls, which is why employees and individuals alike must stay put for good. Be vigilant when opening emails from unknown senders, and be on the lookout for any messages that try to create a sense of urgency.