A novel phishing campaign leveraged legitimate Dropbox infrastructure and successfully bypassed multifactor authentication (MFA) protocols, new research from Darktrace has revealed.
The attack highlights the growing exploitation of legitimate popular services to trick targets into downloading malware and revealing log in credentials.
The findings also show how attackers are becoming adept at evading standard security protocols, including email detection tools and MFA.
Speaking to Infosecurity, Hanah Darley, Head of Threat Research at Darktrace, noted that while it is common for attackers to exploit the trust users have in specific services by mimicking the normal emails they receive, in this case, the threat actor(s) went a step further and leveraged the legitimate Dropbox cloud storage platform to conduct their phishing attacks.
The Attackers Leveraged Dropbox Infrastructure
The attackers targeted a Darktrace customer on January 25, 2024, with 16 internal users on the organization’s SaaS environment receiving an email from ‘no-reply@dropbox[.]com.’ This is a legitimate email address used by the Dropbox file storage service.
The email contained a link that would lead the user to a PDF file hosted on Dropbox, which was seemingly named after a partner of the organization.
This PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, named ‘mmv-security[.]top.’
The researchers noted that there is “very little to distinguish” malicious or benign emails from automated emails used by legitimate services such as Dropbox. Therefore, this approach is effective in evading email security tools and convincing targets to click a malicious link.
This email was detected and held by Darktace’s email security tool. However, on January 29 a user received another email from the legitimate no-reply@dropbox[.]com address, reminding them to open the previously shared PDF file.
Although the message was moved to the user’s junk file, the employee went on to open the suspicious email and follow the link to the PDF file. The internal device connected to the malicious link mmv-security[.]top a few days later.
This link led to a fake Microsoft 365 login page, designed to harvest the credentials of legitimate SaaS account holders.
The researchers added that the approach of impersonating trusted organizations like Microsoft is an effective way of appearing legitimate to targets.
No tags.
