Light Dark
April 4, 2023 By Jonathan Reed 4 min read
Cloud Security
Risk Management

The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible.

Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware.

SaaS to SaaS phishing

Instead of building phishing pages from scratch, cyber criminals are increasingly turning to established SaaS platforms to execute their malware schemes. By utilizing legitimate domains to host their phishing campaigns, it’s more challenging for detection engines to identify them. And since SaaS platforms require minimal technical expertise, it’s easier for novice hackers to launch attacks.

The number of phishing URLs hosted on legitimate SaaS platforms has increased at an alarming rate. From June 2021 through June 2022, the rate of newly detected phishing URLs hosted on legitimate SaaS platforms has increased by over 1100%, according to Palo Alto’s Unit 42.

Cyber criminals take advantage of cloud-based SaaS platforms to launch phishing attacks without ever needing to access the victims’ on-premises computers or networks, as HackerNoon cyber expert Zen Chan points out. Chan says that SaaS-based phishing makes it difficult for traditional security measures, such as anti-spam gateways, sandboxing and URL filtering, to detect and flag these malicious activities. With the increasing use of cloud-based office productivity and collaboration tools, attackers can now easily host and share malicious documents, files and malware on reputable domains.

The magnitude of the problem becomes clear when we consider that malicious downloads might originate from platforms such as Google Drive or DropBox. In these places, malware is easy to disguise as a picture, invoice image, PDF or important work file. The problem is that in cloud storage, the files are encrypted, which enables security tool evasion. And the malicious files are only decrypted on the victim’s machine, as explained by CheckPoint researchers.

Examples of SaaS platforms used in phishing campaigns include:

  • File sharing
  • Form builders
  • Website builders
  • Note-taking/collaboration tools
  • Design/prototyping/wireframe
  • Personal branding.

Phishing leveraging azure

In a recent report, Microsoft’s threat analysts detected another type of sophisticated phishing scheme. This campaign employed compromised login information to enroll rogue devices on a targeted network. The infiltrated devices were then utilized to propagate phishing emails. It appears the attacks were successful primarily on accounts that lacked MFA security, making them more vulnerable to takeover.

The attackers employed a DocuSign-themed email tactic, which lured recipients to click on a link to review and sign a document, thereby exposing their login information.

Source: Microsoft

Actors utilized embedded links in the fake DocuSign emails that directed victims to a phishing website. These mimicked the Office 365 login page, complete with pre-filled usernames for added credibility.

Microsoft’s telemetry data revealed that the initial attacks focused on firms in Australia, Singapore, Indonesia and Thailand. It appears that the actors were primarily targeting remote workers, as well as poorly protected managed service points and other infrastructure that may operate outside strict security protocols.

The next stage of the attack

Microsoft’s security team was able to detect the threat by identifying unusual patterns in the creation of inbox rules. Attackers added these rules immediately after gaining control of an inbox. Apparently, the attackers had compromised over a hundred mailboxes across multiple organizations, using malicious mailbox rules named “Spam Filter”. This enabled actors to maintain control over the compromised mailboxes and use them for phishing and other malicious activities.

Using the stolen credentials, the intruders were able to gain access to the victim’s email account by installing Outlook on their own machine and logging in using the compromised credentials. From there, the attacker’s device automatically connected to the company’s Azure Active Directory due to the acceptance of Outlook’s first launch experience. Microsoft points out that an MFA policy in Azure AD would have prevented this rogue registration from occurring.

Once the attacker’s device accessed the victim’s network, the intruders began the second phase of their campaign. They sent phishing emails to employees of the targeted firm, as well as external targets such as contractors, suppliers or partners. As these phishing messages originate from within a trusted workspace, they carry an element of legitimacy, and security solutions are less likely to flag them.

Phishing leveraging Amazon Web Services

Cyber criminals are also using Amazon Web Services (AWS) to bypass automated security scanners and launch phishing attacks, as per Avanan. Actors have leveraged the ability to use an AWS service to create and host web pages using WordPress or custom code. From there, they can send phishing messages that carry the AWS name to corporate email systems. This enables the emails to evade scanners that would typically block such messages and adds an extra layer of legitimacy to deceive victims.

Another recently highlighted phishing campaign leverages AWS and employs unusual syntax construction in the messages to evade scanners. Email services that rely on static Allow or Block Lists to secure email content are not immune to these attacks. These services evaluate whether a website is safe or not. But Amazon Web Services is too large and prevalent to block, so scanners will always mark it as safe.

It’s not uncommon for attackers to piggyback on well-known brand names for phishing campaigns. Avanan has reported that attackers have used QuickBooks, PayPal and Google Docs to increase the chances of their messages landing in the inbox.

Phishing with QR codes

Last but not least, Zen Chan also shed light on another type of phishing attack called QRishing. These attacks embed malware links in QR codes included in emails. This makes them difficult to detect for most email security solutions. QRishing can also potentially lead victims to connect to an unsecured WiFi network, allowing attackers to capture sensitive information.

Today, people use QR codes to access menus, check-in for health services and access public or organizational information. But rogue QR codes are also on the rise. Criminals can even print malicious QR codes on a sticker to overlay legitimate QR codes.

To make things even more complex, attackers are using social engineering tactics by inserting fake QR codes into phishing text messages (SMishing plus QRishing) or social media platforms. When scanned, these infected codes redirect victims to phishing sites, where they may be prompted to enter login credentials which can then be stolen by the attackers.

No end to phishing in sight

The phishing attack frenzy does not appear to be letting up soon. Hypervigilance is essential. It’s worth it for organizations to train and re-train their teams to spot phishing attempts. Additionally, advanced security solutions, such as zero trust, will become more prevalent as verification of users, devices, context and permissions will all be needed to keep invaders at bay.

 |  |  |  |  |  |  |  |  |  |  |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from Cloud Security
November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 19, 2023

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

October 3, 2023

The importance of Infrastructure as Code (IaC) when Securing cloud environments

4 min read - According to the 2023 Thales Data Threat Report, 55% of organizations experiencing a data breach have reported “human error” as the primary cause. This is further compounded by organizations now facing attacks from increasingly sophisticated cyber criminals with a wide range of automated tools. As organizations move more of their operations to the cloud, they must also become increasingly aware of the security risks and threats that come with it. It’s not enough anymore to simply have a set of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature