Software as a service (SaaS) is changing the world, as nearly all new businesses use “as a service” solutions to ensure business productivity and seamless collaboration across different functions, both internally and externally to the organization. So why shouldn’t attackers take advantage of this open access and attempt to compromise victims? Well, of course, they have done exactly that. Our data shows that attackers are now jumping on the bandwagon of delivering malware and credential phishing via trusted SaaS brands.
My team here at Menlo Labs (Menlo Security’s research arm) have been analyzing data for the last three quarters to find where malicious websites are hosted. Because we observe all the sites that are proxied via our isolation platform, we have visibility of all the clicks and website visits from the millions of users we protect. (And because we isolated these clicks and visits, our customers were protected from any attacks.)
A unique insight we have is knowing which websites were considered benign at the time of click and were later discovered to be malicious—they went from “good” to “bad.”
We found that the threat landscape is clearly shifting, with attackers abusing cloud storage platforms such as OneDrive and G Drive to host their payloads. This shift presents challenging questions for enterprises, including:
- How do we differentiate between good and bad websites?
- What websites and links can our employees trust?
Since all these attacks are hosted on legitimate sites that are regularly used by enterprises, security vendors that depend on whitelists face an additional challenge. The problem is amplified in the case of credential phishing attacks, since legacy vendors have no visibility into the URL embedded within the shared document, and also because credential phishing attacks are harder to identify as a result of their very nature. Credential phishing takes advantage of the fact that humans are inherently trusting, and thus are vulnerable to attacks that aim to exploit that trust.
In this blog we’re going to detail a couple of attacks that Menlo Labs identified, which were hosted on public cloud platforms. The diagram below provides a general outline of how these attacks work.
Credential Phishing on Egnyte
Menlo Labs observed a phishing campaign that specifically targeted the finance and airline industries. A malicious document hosted on a cloud file-sharing platform (Egnyte) was shared with the victims who were targeted.
The victim received a message seemingly from Egnyte, informing them that a document had been shared with them. After clicking on the link in the message, the victim was taken to a PDF file hosted on Egnyte. Below is a screenshot of the malicious PDF.
Clicking on Access Document in the PDF file takes the user to another link: hxxps[://]coatofthesmile.info/Henry/index.php?unionmars=jupitortea/. This is the credential phishing page that spoofs the actual Microsoft login page.
We believe these documents were shared from accounts of compromised users whose companies used Egnyte for their own enterprise needs.
Credential Phishing on OneDrive
The most recent credential phishing campaign that we identified was hosted on Microsoft OneDrive. The URL was shared via email, and it opened a document when clicked. The image below shows the actual malicious document that was hosted on OneDrive.
Clicking either the Preview or Download button took the victim to hxxps://nwx.pt/Office365/, which was designed to look like a legitimate Microsoft login page.
Malicious Payloads Hosted on OneDrive
Menlo Labs has seen an increase in malicious payloads hosted on OneDrive across our customer base. OneDrive is clearly the winner.
Following is just a snippet of the list of malware families that Menlo Security blocked, and that were hosted on popular cloud storage platforms:
- Adwind—A more detailed analysis to follow in our next blog
- Multiple PDF credential phishing campaigns
- Whitelisting is not an effective option anymore.
- Visibility is important to stop credential phishing campaigns. Menlo Security provides better visibility, as it is the browser.
- Sandboxes are failing to identify credential phishing campaigns.