New Phishing Attack Uses a Compromised Vendor Account and Box to Elude Detection

phishing attack compromised vendor accountUsing legitimate email accounts is a great way for phishing emails to avoid being identified. Hosting malicious files on Box is another. Put them together and this attack reaches your Inbox.

It’s good to see security vendors like Armorblox posting the technical details on how a phishing attack successfully avoids detection; it helps the industry respond by evolving their detection techniques, and helps users understand what to look for (in cases where the only tell-tale signs are ones that are more “this doesn’t look right” than “this is a clear sign of malicious activity”).

In the case of the latest credential phishing attack on Armorblox’s blog, the attack first leverages a legitimate previously-compromised email account of a vendor (in their presented example, a mortgage funding company). This account was then used to send emails to potential victims claiming it contained closing documents. The end game for this attack is to steal the Office 365 credentials of the phished victim.

Here’s why this attack got all the way to Inboxes:

  • It used a legitimate email account – SPF and DMARC records help establish safe senders, thereby elevating the likelihood this it a read email and lowering the defenses of security solutions.
  • It used Box to host the initial phishing page – made to look like a OneDrive document (despite being hosted on Box), the page bypasses filters that block known-malicious domains.
  • The spoofed Office 365 logon page were access via a zero-day link – by hosting the logon page impersonating Office 365 on a legitimate (but compromised) website, again the attackers bypass the appropriate filters.

Where organizations being attacked with a campaign such as this one can protect themselves is through effective Security Awareness Training. The signs were everywhere that this was fake from the moment it was sent. Click the link to the Armorblox blog and you’ll see how very obvious it is to a trained eye; one that your users can have with proper training.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews