Using legitimate email accounts is a great way for phishing emails to avoid being identified. Hosting malicious files on Box is another. Put them together and this attack reaches your Inbox.
It’s good to see security vendors like Armorblox posting the technical details on how a phishing attack successfully avoids detection; it helps the industry respond by evolving their detection techniques, and helps users understand what to look for (in cases where the only tell-tale signs are ones that are more “this doesn’t look right” than “this is a clear sign of malicious activity”).
In the case of the latest credential phishing attack on Armorblox’s blog, the attack first leverages a legitimate previously-compromised email account of a vendor (in their presented example, a mortgage funding company). This account was then used to send emails to potential victims claiming it contained closing documents. The end game for this attack is to steal the Office 365 credentials of the phished victim.
Here’s why this attack got all the way to Inboxes:
- It used a legitimate email account – SPF and DMARC records help establish safe senders, thereby elevating the likelihood this it a read email and lowering the defenses of security solutions.
- It used Box to host the initial phishing page – made to look like a OneDrive document (despite being hosted on Box), the page bypasses filters that block known-malicious domains.
- The spoofed Office 365 logon page were access via a zero-day link – by hosting the logon page impersonating Office 365 on a legitimate (but compromised) website, again the attackers bypass the appropriate filters.
Where organizations being attacked with a campaign such as this one can protect themselves is through effective Security Awareness Training. The signs were everywhere that this was fake from the moment it was sent. Click the link to the Armorblox blog and you’ll see how very obvious it is to a trained eye; one that your users can have with proper training.
Here's how it works:
