Threat Actors Leverage PandaDoc and Dropbox to Deliver Decoy File and Phish for Microsoft Credentials
Attack Overview
Step 1: Email
The attack begins with an email claiming a document has been shared via PandaDoc. The message includes a link to a PandaDoc-hosted file and instructions for what to do if the document doesn’t render properly.
- The email appears to come from a legitimate sender.
- It includes a link to a PandaDoc-hosted decoy document.
- Targets are instructed to copy and paste a secondary Dropbox link.
Step 2: Decoy Document + Social Engineering
Targets who click the PandaDoc link find a blank or non-functional document. The attacker uses this as a social engineering trick to direct them to manually open the Dropbox link.
- The PandaDoc document is intentionally non-functional or blank.
- Targets are encouraged to follow alternative instructions.
- This phase builds trust while shifting attention to the real payload.
Step 3: Dropbox + Credential Harvesting Page
The Dropbox link leads to a Cloudflare Turnstile, which then redirects the target to a Microsoft-branded phishing login page to harvest credentials.
- Dropbox link bypasses automated analysis by using Cloudflare Turnstile.
- Redirects targets through multiple stages.
- Final destination is a credential phishing page mimicking Microsoft login.
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for several reasons, including:
- The sender domain passed SPF, DKIM, and DMARC checks.
- The links pointed to legitimate services (PandaDoc, Dropbox), lending credibility.
- Cloudflare Turnstile verification test and redirect logic limited automated link analysis.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including:
- Unusual sender behavior and never-before-seen senders.
- Presence of suspicious Dropbox links.
- Email content inconsistent with normal communication patterns.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.