Attack Impersonating Compromised Third-Party to Share Document Leads to OneDrive Phishing Page
In this attack, the actor used the compromised account of an external third-party to send an email that appeared to contain a link to a PDF document with information about new dues. While the actual relationship between the third-party and recipient is unknown, the email was constructed to appear as if the sender was a vendor that has previously worked with the target company. To hide the addresses of everyone receiving the email, the attacker BCC'd all of the recipients, so they couldn’t be seen. The full signature of the compromise third-party employee was present in the email, indicating the message was sent directly from their account. The name of the third-party company was included in the email subject.
Had the recipient clicked on the link to view the PDF document, they would have been taken to an initial landing page that noted a PDF document had been shared by the compromised third-party’s company. A thumbnail containing the company’s logo was also displayed on the phishing page. A link to “VIEW PDF ONLINE” was present, followed by a warning that stated the document was protected so it could only be viewed by the recipient.
If the recipient clicked on the link on this initial page, they would have been directed to a second phishing page mimicking a OneDrive login screen. On this page, a prompt indicated the recipient needed to confirm their identity by entering “specific professional email credentials that this document was sent to” in order to view and download the “shared file.”.
How Does This Attack Bypass Email Defenses?
The URL found in the email is one that has not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. Because this email was sent from a legitimate account that has been compromised without a history of abuse, there are no direct signals indicating the email’s origin is malicious.
How Can This Attack Be Detected?
A behavioral system is required to stop attacks that use never-before-seen URLs. By understanding the intent of the link, alongside other signals acquired through content analysis, a cloud email security platform understands when an email may be malicious. Understanding legitimate vendor domains allows a cloud email security solution to flag a lookalike domain as fraudulent and block the attack before it reaches users. All of the recipients receiving the email were BCC’d, a common pattern when attackers send similar attacks to many recipients.
What are the Risks of This Attack?
If an employee entered credentials into the phishing page, attackers would have full access to their email account, which they can then use to look for sensitive information or as a launch point for other attacks on the employee’s coworkers, customers, or vendors.