A recent PDF decoy linked to an Office 365 phishing page was impersonating a law firm in Denver, CO, according to a Netskope Threat Protection press release on Wednesday. The phishing page was hosted in Azure blob storage, and the PDF decoy was hosted in Google Drive.
Since the phishing bait was hosted in Azure blob storage, it had a Microsoft-issued SSL certificate and domain, making the attack vector especially convincing and difficult to detect, said the release. And since the PDF decoys appear to be credible, users felt comfortable entering their Office 365 credentials to download the document, added the release.
The attack targeted clients of a Denver-based law practice, who received an email from the firm with a PDF decoy titled "Scanned Document...Please Review.pdf.," said the release. Victims would attempt to download the PDF, then be prompted to enter credentials for Office 365. After inputting their personal information, they would be redirected to another phishing page claiming that the email or password entered was invalid, added the release.
After many redirects, the target is eventually taken back to a Microsoft page, with no document downloaded. With no document downloaded, victims may feel compelled to try and re-enter their credentials, or enter credentials to a different account, becoming further compromised, said the release.
The attack was believable enough to trick most people. But, it was particularly deceiving since it was designed to trick users who know to check that the domain and SSL certificate of a website matches its content, said the release. Users who are savvy enough will be able to recognize it is a malicious site because of the subdomain, which shows that it's Azure blob storage instead of an official Microsoft address, added the release.
This tactic is evidence that phishing attacks are becoming more clever and tricky. In order to stay protected, companies should teach their employees how to recognize Azure, AWS, and GCP object store URLs, so they are able to recognize when a site might be malicious, said the release.
Netskope also recommends protecting your company from cloud-based phishing campaigns by executing a real-time visibility and control solution to monitor activities, deploying threat and malware protection, and keeping systems and antiviruses updated.
The big takeaways for tech leaders:
- A recent phishing attack posing as a PDF decoy from a Denver law firm was stealing clients' Office 365 credentials
- The phishing bait was hosted in Azure blob storage and contained a Microsoft-issued domain and SSL certificate, making it particularly believable.
- Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
- Phishing warning: One in every one hundred emails is now a hacking attempt (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Cryptocurrency phishing: New campaign uses automation to drain wallets (ZDNet)
- The top 11 phishing email subject lines SMBs should look out for (TechRepublic)
Macy Bayern has nothing to disclose. She does not hold investments in the technology companies she covers.
Macy Bayern is an Associate Staff Writer for TechRepublic. A recent graduate from the University of Texas at Austin's Liberal Arts Honors Program, Macy covers tech news and trends.