Netskope’s Threats Research Lab recently revealed details about newly discovered phishing cyber-attack that was targeting the client bases of a law firm in Denver, Colorado, and across the entire U.S.
Using a PDF file which is hosted in Azure’s Blob Storage service, the attackers could easily send the file as an attachment to its targets. The decoy which is linked to the Office 365 phishing page and has a Microsoft-issued domain and SSL certificate.
Well, these attachments are usually synced automatically to cloud storage services through collaboration setting a variety of the popular software and as well as the third party apps in a number of enterprises, this campaign is very tough to detect.
The PDF is delivered as an email attachments then this appears that it comes from a legit source but actually it’s not. Well, it’s not probably uncommon for these types of attachments to be saved to a cloud storage service, such as Google Drive. Nor it is uncommon that a user would share the document. This PDF which is discovered that is named as “Scanned Document…Please Review.pdf” and though it really appears that it is actually came from a Denver-based law firm. Whenever the user try to click on this hyperlink to download this PDF, a pop-up message alerts the user that the document is now attempting to connect to an Azure storage URL, which probably goes to a phishing web page.
“At face value, seeing a Microsoft domain and a Microsoft-issued SSL certificate, on a site that is asking for Office 365 credentials is pretty strong evidence that the site is legitimate, and are likely enough to convince a user to enter their credentials. Upon clicking continue, the victim’s credentials are uploaded to https://searchurl[.]bid/livelogins2017/finish40.php,” Netskope wrote in today’s blog post.
The researchers have successfully reported this site that they recently discovered on September 17, 2018. Netskope which recommends that each user should always check the domain URL of the link above to be aware that the domain typically used at login, particularly with sensitive services.
The organizations should also keep their systems and antivirus always updated with the latest versions and patches.