The team at CYDEF observed an increasing proportion of phishing attempts that leverage trusted sites to bypass filtering resources. The following post addresses some of the detected campaigns and addresses security awareness programs.
Phishing Off the River
In recent posts we took an in-depth look at anti-virus bypass, especially living-off-the-land techniques.
The general concept of these techniques is that, by abusing trusted resources, an attacker can capitalize on the trusted resource’s good reputation to execute malicious code.
We didn’t, however, address LoL attacks used in phishing campaigns. Given that phishing campaigns are one of the top threats facing SMBs – they certainly deserve some attention.
A Phishing Tour
Whenever the team at CYDEF detects a phishing attack, we like to provide our client’s ample evidence of the attack. We combed through our evidence repository to assemble a series of screenshots that demonstrate the types of phishing attacks detected by CYDEF analysts.
While most of the links are no longer valid, parts of the screenshots have been anonymized. We made this effort to ensure the attacks would not be traced back to specific clients. This is especially relevant for the more targeted campaigns.
Campaign #1: LoL Attacks Using Microsoft OneDrive
The most convincing phishing campaigns that we’ve seen use Microsoft’s OneDrive service for their “living-off-the-land” style phishing attacks (let’s call those phishing off the river).
In the following incident, the attackers created a OneNote document and circulated it within an email containing a OneDrive link.
The OneNote document displayed a document icon and a link to the document. When shared with a victim, the link directed the user to a phishing page. That page prompted the victim to provide Office365 authentication.
A user might expect a similar prompt when accessing an access-controlled document on their corporate network.
Figure 1: Landing page for Campaign #1
However, the attacker made an operational mistake.
The icon in the OneNote is for Microsoft Word, but the document displayed on the credential harvesting page is a PDF file.
While our analysts spotted this error, it is unlikely that a user would notice. (Would you notice it before reading the previous sentence?)
Figure 2: Credential harvesting page for Campaign #1
In this case, the email blast targeted multiple users. More than 10 people clicked on the link.
Campaign #2: Business Partner Impersonation
We’ve noted that the most successful attacks rely on targeted campaigns. Both campaign #1 and campaign #2 were built to target a specific client.
Both campaigns included a file name related to the client’s specific business.
In each case, the attacker ensured that the document referenced in the campaign would resemble documents users would expect in an unprompted email.
In this second case, the campaign impersonated a known business partner and targeted a single user.
Figure 3: Landing page for Campaign #2
Figure 4: Credential harvesting page for Campaign #2
Campaign #3: SharePoint Phishing
Attackers also leveraged faked SharePoint links, disguised as legitimate cloud services. (Note the Google API link has been obscured by the use of a link shortener service).
Figure 5: Landing page for Campaign #3
Once a link was clicked, the victim would be directed to a phishing page. That page prompted the victim to provide Office365 authentication.
Figure 6: Credential harvesting page for Campaign #3
Campaign #4: Milanote App Spoof
Even more fringe cloud services can also be abused.
Below we see a Milanote app pretending to be a voicemail system.
Figure 7: Landing page for Campaign #4
Again, the victim would be directed to a phishing page and prompted to provide Office365 authentication in order to listen to the fake audio message.
Figure 8: Credential harvesting page for Campaign #4
Successful Phishing Campaigns Rely on A Good Reputation
All these campaigns have one thing in common: they rely on a landing page hosted on a site with a good reputation.
When victims click on the link, there is no protective layer that prevents them from reaching the landing page.
There is some protection that will stop them from reaching the credential harvesting page. In our experience with these campaigns, this protection is often a few days late.
I approximate that there’s a 50-50 chance of these sites being blocked with Google Safe browsing or by an AV reputation engine when we access them.
Betting that attackers won’t access your business via a phishing attack doesn’t feel like a safe bet.
Security Awareness Tips
One of the top countermeasures to defeat phishing attacks is user education.
By building a security awareness program focused on phishing, users can learn methods to avoid credential harvesting websites. But…it’s never quite that simple.
No awareness campaign, no matter how good, gets click-through on phishing attacks to zero.
There’s a few reasons for that.
First, there’s always someone who doesn’t understand or doesn’t pays attention and clicks on the link. Second, there is actually a lot of bad awareness campaigns, especially for phishing.
If you look at the top recommendations for phishing security awareness campaigns, you often see tips that are either calibrated for the wrong threat or that are completely unworkable.
Problem 1: Outdated Phishing Education
The first problem stems from the fact that the recommendations have often been drafted to defeat mass-market phishing from the early 2000s. They tell you to check for misspellings and weird grammar, or to look at the link in the email to make sure it’s not sending you to an Eastern European address, or to be suspicious if they’re asking you to give your credit card number.
While all of this is generally good advice, none of it addresses a spear phishing threat targeting an enterprise customer. As you can see from campaign #1 and #2, the attackers will invest time to craft a social engineering lure that matches a business. They too pay attention to what is said in user awareness campaigns, and run their email through a spell checker before sending it.
Problem 2: Impossible Advice
The second problem – bad awareness campaigns plainly ignores how people do business.
Tips to never open links or documents in emails, to avoid opening unsolicited email without first confirming with the sender by phone, or to never give out any information requested in an email are entirely impractical in a normal business environment.
In campaign #1 and #2, the users received documents by emails that would be expected for their business.
In campaign #2, the document was sent by a known business partner. Let’s say you are a widget vendor. You would expect to receive the Spring Widget Catalog from one of your suppliers without you asking for it in advance.
In campaign #4, the email is purportedly from an automated system. Who could you call to make sure it was real?
Phishing Operators are One Step Ahead
Evidently, user education is not as easy a win as you might expect. We should expect phishing operators to evolve new techniques to bypass defenses, including increased user awareness.
Malware operators evolved living-off-the-land to bypass sophisticated AV engines and application allow listing solutions. Phishing operators will follow their lead.
Take Action Against Endpoint Attacks
It’s important to have a plan to deal with this type of attack. Phishing, and malware, show no signs of disappearing anytime soon. As previously demonstrated, phishing attacks represent a high volume/high impact type of threat.
If you are interested in knowing more about CYDEF’s approach, don’t hesitate to contact us for more information. We also offer a free proof of value if you’re interested in how CYDEF can be part of your plan to mitigate phishing threats in your enterprise.
