The chances of you opening, clicking or downloading a document sent from a colleague or friend are much higher than acting on an email from someone you don’t know. Cybercriminals know this well, which is why they are sending attacks to the friends and colleagues of compromised account owners.
Based on some of the recent threat activity we’re seeing, criminals are regularly using file sharing document emails (such as OneDrive and other popular services) to initiate attacks from hijacked accounts. Here’s what we know about these scams, and some ways your organization can be sure to avoid them:
Baiting the targets
In order for cybercriminals to take over an email account, they first need the credentials. Unfortunately, with today’s cunning phishing methods, this can happen without the victim ever noticing. For example, many times employees will unknowingly follow a phishing link from an attacker, which prompts them to enter their credentials into a fake sign in page of Office 365, G-Suite or other popular web services. Note that these types of phishing emails are often not detected by existing email security solutions because the fake sign in page is often hosted on a compromised website, which has a high reputation. Criminals also know to target mid to low-level employees that haven’t had in-depth security and awareness training, in hopes that the targets don’t know that this type of initial phishing attack even exists.
Once attackers take over an account, they will use that account to send emails to other colleagues— sometimes even hundreds of people. These messages are usually just quick innocuous notes that include a link or shared document. However, if any recipients click on the link or open the document, they will be taken to a fake sign-in page where they will be asked to enter their credentials. If they move forward and submit their credentials, their accounts will be taken over by the criminals as well.
Why do criminals value compromised email accounts?
Criminals value access to compromised email accounts of reputable organizations, which can be sold on the black market to launch additional phishing campaigns. High-reputation domains give criminals the best chance for successful attacks and can be used to conduct targeted spear phishing or executive level fraud attacks. In these attacks, cybercriminals will send an email from the compromised account with the goal of tricking the recipient (often a finance department employee) into sending a wire transfer to a bank account owned by the attacker. Billions of dollars have been lost due to spear phishing attacks for wire fraud and organizations continue to fall victim to cybercriminals using these methods.
There are many variations of phishing emails that attackers use to steal credentials. One of the variants growing in popularity involves a phishing email that includes a OneDrive share link (file sharing) in the body of the note. OneDrive is just one of the services we’ve seen spoofed, but these attacks aren’t specific to that service alone—it’s just one of the ways criminals are getting the attention of users.