Threat actors have been abusing legitimate, cloud-based, file hosting and file sharing services like SharePoint, OneDrive and Dropbox for years, particularly for hosting and distributing malware and for phishing attacks. However, Microsoft security researchers recently stumbled upon a more sophisticated phishing technique where file hosting services are being leveraged to steal user access and identities; a.k.a. identity phishing.

What is Identity Phishing?

Identity phishing is a type of phishing attack where attackers deploy legitimate-looking phishing emails, messages, or websites to deceive and manipulate users into sharing their credentials. In today’s era of cloud computing, identity phishing is dangerous because if attackers somehow compromise someone’s single sign-on, they effectively have unrestricted access to the organization’s data, systems, applications and emails.

Identity phishing doesn’t just lead to data theft – it can also lead to financial fraud, targeted social engineering attacks and lateral movement across endpoints.

How are Legitimate File Hosting Services Used for Identity Phishing?

Modern cyberattacks are multi-staged. Attackers traverse a sequence of steps to reach their final objective. Let’s understand in more detail the various phases of identity phishing attacks:

Initial Access

Initial access is typically the first step in any attack, it’s how attackers infiltrate. Since well-established organizations have mature cybersecurity defenses already installed, threat actors use workarounds like targeting trusted third parties instead. Upon identifying a trusted partner or supplier, threat actors initiate a password spray attack or an adversary-in-the-middle (AitM) attack to compromise a user. Once compromised, attackers host a malicious file on the organization’s file hosting service using deceptive file names. The file names are carefully chosen based on recent themes or topics such as existing audits or conversations and current context (say the attack doesn’t originate from a trusted vendor, threat actors will then pose as IT helpdesk personnel, or as someone from HR or accounting, using associated file names. Threat actors will also draft file names with a sense of urgency, like, “Attention Required” or “Compromised Password Reset.”

Defense Evasion

After threat actors have uploaded the file to the file hosting service and assigned it an appropriate name and context, they proceed to distribute it to their targeted recipients using the service’s sharing features. The triggered email is not a phishing email, but an automated notification meant for a specific recipient. In the case of SharePoint or OneDrive, the file is shared from the compromised user’s email address (as the sender) along with the attacker-supplied description of the file being sent.

In the case of Dropbox, the shared file originates from a generic email address (e.g., [email protected]) with an automatic notification email bearing the subject: “<User> shared <document> with you.” To further evade detection, the hacker employs tactics such as mandating the target to re-authenticate so that only the intended individual can access the file. Secondly, hackers apply restrictions on PDF downloads so that malicious files cannot be detonated or analyzed (using sandboxing tools) before their being downloaded.

Identity Compromise

Once the target opens the shared file, they are directed to an adversary-in-the-middle (AitM) phishing page. While on the front end the user is greeted with a multi-factor authentication (MFA) screen, prompting them to enter their email address and complete a One Time Password (OTP) authentication. On the back end, the phishing page steals the user’s session token when they enter their username and password. Once armed with the newly acquired token, the hacker replays it a few hours later to sign into the victim’s account. After the sign-in is successful, further attacks are launched at other users.

Why are File Hosting Services Being Increasingly Abused?

There are two key reasons why these file-hosting services are ripe for abuse. First, most organizations whitelist these services by default. Email notifications from these platforms are generally allowed by default and are not inspected for maliciousness. In contrast, a threat actor sending a phishing email from a low-reputation domain will have a high probability of being blocked. Secondly, because these file hosting services are well-known and trusted brands, users are more likely to click, download or interact with the URLs or files that are hosted on these services.

How Can Organizations Mitigate the Risks of Identity Phishing?

There are multiple ways organizations can mitigate the risk of identity phishing:

Security training for employees and partners: Deliver regular security awareness training to staff and partner organizations to make them less phish-prone and more security-conscious. Train on using unique, 12-character or more passwords. Monitor and report signs of infiltration.

Advanced security tools: Leverage cybersecurity tools like endpoint detection and response (EDR) and SIEM log analysis to monitor unusual activity across endpoints and networks. Phishing-resistant MFA is a better alternative to regular MFA for preventing identity theft, although MFA is not completely immune to man-in-the-middle attacks. Use a good web security tool to limit users from visiting known malicious websites.

User and network segmentation: Limit privileged access. Monitor privileged users regularly. Reassess privilege access requirements at regular intervals. Use network segmentation to separate critical assets from less secure ones.

Regular security audits: Conduct periodic audits and vulnerability assessments of your applications, networks and authentication processes to identify and address security gaps that could be exploited by AitM attacks.

Use stronger email security and authentication: Implement DMARC, DKIM and SPF protocols (both on senders and receivers) to verify and prove the authenticity of emails, reducing the risk of spoofing and impersonation. Utilize a good anti-spam solution that can identify and flag phishing attempts based on known patterns and heuristics.

Identity is the new perimeter. If an attacker compromises an individual’s identity, they’ve compromised the organization’s perimeter. While technical security controls are extremely important, it is also human intelligence, observation and alertness, combined with basic common sense and security consciousness, which can make the difference between safety and compromise.