A recent PDF decoy linked to an Office 365 phishing page was impersonating a law firm in Denver, CO, according to a Netskope Threat Protection press release on Wednesday. The phishing page was hosted in Azure blob storage, and the PDF decoy was hosted in Google Drive.

Since the phishing bait was hosted in Azure blob storage, it had a Microsoft-issued SSL certificate and domain, making the attack vector especially convincing and difficult to detect, said the release. And since the PDF decoys appear to be credible, users felt comfortable entering their Office 365 credentials to download the document, added the release.

SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)

The attack targeted clients of a Denver-based law practice, who received an email from the firm with a PDF decoy titled “Scanned Document…Please Review.pdf.,” said the release. Victims would attempt to download the PDF, then be prompted to enter credentials for Office 365. After inputting their personal information, they would be redirected to another phishing page claiming that the email or password entered was invalid, added the release.

After many redirects, the target is eventually taken back to a Microsoft page, with no document downloaded. With no document downloaded, victims may feel compelled to try and re-enter their credentials, or enter credentials to a different account, becoming further compromised, said the release.

The attack was believable enough to trick most people. But, it was particularly deceiving since it was designed to trick users who know to check that the domain and SSL certificate of a website matches its content, said the release. Users who are savvy enough will be able to recognize it is a malicious site because of the subdomain, which shows that it’s Azure blob storage instead of an official Microsoft address, added the release.

This tactic is evidence that phishing attacks are becoming more clever and tricky. In order to stay protected, companies should teach their employees how to recognize Azure, AWS, and GCP object store URLs, so they are able to recognize when a site might be malicious, said the release.

SEE: Phishing and spearphishing: A cheat sheet for business professionals (TechRepublic)

Netskope also recommends protecting your company from cloud-based phishing campaigns by executing a real-time visibility and control solution to monitor activities, deploying threat and malware protection, and keeping systems and antiviruses updated.

The big takeaways for tech leaders:

  • A recent phishing attack posing as a PDF decoy from a Denver law firm was stealing clients’ Office 365 credentials
  • The phishing bait was hosted in Azure blob storage and contained a Microsoft-issued domain and SSL certificate, making it particularly believable.