Menlo Security Cloud Security Platform is FedRAMP® Authorized
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Menlo Security | Jul 07, 2019
Share this article
Software as a service (SaaS) is changing the world, as nearly all new businesses use “as a service” solutions to ensure business productivity and seamless collaboration across different functions, both internally and externally to the organization. So why shouldn’t attackers take advantage of this open access and attempt to compromise victims? Well, of course, they have done exactly that. Our data shows that attackers are now jumping on the bandwagon of delivering malware and credential phishing via trusted SaaS brands.
My team here at Menlo Labs (Menlo Security’s research arm) have been analyzing data for the last three quarters to find where malicious websites are hosted. Because we observe all the sites that are proxied via our isolation platform, we have visibility of all the clicks and website visits from the millions of users we protect. (And because we isolated these clicks and visits, our customers were protected from any attacks.)
A unique insight we have is knowing which websites were considered benign at the time of click and were later discovered to be malicious—they went from “good” to “bad.”
We found that the threat landscape is clearly shifting, with attackers abusing cloud storage platforms such as OneDrive and G Drive to host their payloads. This shift presents challenging questions for enterprises, including:
Since all these attacks are hosted on legitimate sites that are regularly used by enterprises, security vendors that depend on whitelists face an additional challenge. The problem is amplified in the case of credential phishing attacks, since legacy vendors have no visibility into the URL embedded within the shared document, and also because credential phishing attacks are harder to identify as a result of their very nature. Credential phishing takes advantage of the fact that humans are inherently trusting, and thus are vulnerable to attacks that aim to exploit that trust.
In this blog we’re going to detail a couple of attacks that Menlo Labs identified, which were hosted on public cloud platforms. The diagram below provides a general outline of how these attacks work.
Menlo Labs observed a phishing campaign that specifically targeted the finance and airline industries. A malicious document hosted on a cloud file-sharing platform (Egnyte) was shared with the victims who were targeted.
The victim received a message seemingly from Egnyte, informing them that a document had been shared with them. After clicking on the link in the message, the victim was taken to a PDF file hosted on Egnyte. Below is a screenshot of the malicious PDF.
Clicking on Access Document in the PDF file takes the user to another link: hxxps[://]coatofthesmile.info/Henry/index.php?unionmars=jupitortea/. This is the credential phishing page that spoofs the actual Microsoft login page.
We believe these documents were shared from accounts of compromised users whose companies used Egnyte for their own enterprise needs.
The most recent credential phishing campaign that we identified was hosted on Microsoft OneDrive. The URL was shared via email, and it opened a document when clicked. The image below shows the actual malicious document that was hosted on OneDrive.
Clicking either the Preview or Download button took the victim to hxxps://nwx.pt/Office365/, which was designed to look like a legitimate Microsoft login page.
Menlo Labs has seen an increase in malicious payloads hosted on OneDrive across our customer base. OneDrive is clearly the winner.
Following is just a snippet of the list of malware families that Menlo Security blocked, and that were hosted on popular cloud storage platforms:
Posted by Menlo Security on Jul 07, 2019
Tagged with Cloud Security, Threat Trends
Threat Trends & Research
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.