The “Evernote for creatives” collaborative platform is being used to legitimately host malicious links that point victims to phishing links, bypassing detection mechanisms.
This isn’t the first time we’ve seen legitimate services being misused to host malicious content and links. Cloud-based services including Sharepoint, OneDrive, Dropbox, Google Drive, and many, many more have all been made use of by one threat actor or another over the years. The principle is simple: use a legitimate service to host malicious links, etc. hoping that the guise of it living on a known-good platform will be enough to throw off security solutions designed to detect malicious content.
In the case of a new attack discovered by security researchers at Avanan, the Milanote collaboration platform is the latest in the long list of misused services. According to Avanan, emails are sent under the guise of a due invoice, complete with attachment. The attachment contains a link to the Milanote platform which, in turn, contains a link to malicious content.
The good news for organizations is the creative effort put into this is so bad that it should be obvious to anyone that this is anything but an invoice:
Source: Avanan
Users who have been educated using Security Awareness Training will spot this for what it is at the initial email, let alone the barren-looking initial link, or the supposed invoice PDF above. By teaching your users that these methods that require multiple steps to avoid detection should be a red flag, as an invoice should be nothing more than an attached PDF or a link to a legitimate invoicing site (e.g., Quick Books, Bill, etc.).
Here's how it works:
