One of the common tactics for getting phishing emails into inboxes is to use a legitimate service to send the emails, as the messages are far less likely to be blocked by email security solutions. Email security solutions perform reputation checks on email addresses and domains, and if they are determined to have been used for spamming or sending malicious emails, they are rapidly added to real-time blocklists (RBLs). If a certain trustworthiness threshold is exceeded, the messages will be blocked and quarantined, ensuring they do not reach their intended targets.
These reputation checks are often passed if emails are sent via trusted services such as Dropbox and Google Calendar, and similarly if malicious files or content are hosted on legitimate services such as OneDrive, GitHub, Google Drive, or SharePoint. The fact has not been lost on threat actors, who regularly abuse these services.
Fake login pages may be hosted on cloud storage services, and malicious files shared through them. Not only can these emails evade checks due to the good reputation of the sites, these well-known brands are familiar to end users and are often trusted, increasing the probability that credentials will be divulged or files will be downloaded.
For instance, a recent campaign abusing Dropbox used the platform to send an email about a shared file, which was also hosted on a legitimate Dropbox account. The email contained a link to a malicious PDF file, branded with the details of a company known to the targeted employees. The PDF file contained a link to another, unrelated website, where a malicious file was hosted. The phishing emails used a plausible lure to convince the user to click the link and download and execute the file.
A new campaign has recently been identified that uses a different legitimate service to evade reputation checks. The campaign, detected by security researchers at Kaspersky, was sent via a service called GetShared. While not as well-known as Google Calendar or Dropbox, the platform had a vulnerability that could be abused to send emails from a trusted domain and file-sharing service.
Similar to the Dropbox campaign, GetShared was used to send an email to targeted individuals advising them that a file had been shared with them via GetShared, as it was too large to send via email. The use of the file-sharing service seems reasonable, and the urgency was believable. The user was told that the file would be deleted after a month, and they were asked to provide a quote including the delivery time and payment terms. One of the intercepted emails targeted a designer using a shared file called DESIGN LOGO.rar.
The user was given a download button, which links to the site where the file can be downloaded. If the compressed file is opened and the contents extracted, there are several possible attack methods. An executable file could be in the compressed file that has a double file extension, making it likely that the file would be executed. Potentially, the file could contain a link to a malicious document or phishing page, although in this case, it was part of a vishing campaign. The compressed file contained contact details for the user to call, which would require a file download or disclosure of credentials or other sensitive information.
Earlier this year, a campaign was identified that used Google Calendar, with the emails sent through the platform containing a calendar invite. The invite is automatically added to the user’s Google Calendar account if they have Calendar set up and configured to automatically accept invitations. The invite contained a link to Google Forms or Google Drawings, which contained a link to a phishing website. That website impersonated a well-known brand and required the user to log in with their credentials. The campaign targeted more than 300 brands including healthcare providers, educational institutions, banks, and others, and involved thousands of emails.
Traditional email security solutions are unlikely to block emails from these trusted senders, and malicious files hosted on trusted platforms are also unlikely to be blocked. Businesses can combat these types of phishing attacks by using advanced email spam filter that incorporates AI and machine learning algorithms and email sandboxing in addition to the standard reputation checks and blacklists. The best spam filters for businesses provide multiple layers of protection to block these malicious emails and prevent them from reaching inboxes; however, due to the difficulty in distinguishing genuine from malicious communications from legitimate platforms, security awareness training is vital.
Employees should be trained on how to identify phishing emails and told not to trust emails from legitimate platforms, as while the platforms can be trusted, the content cannot. It is also recommended to use a phishing simulator to run simulations of phishing using lures that abuse trusted platforms to gauge how employees respond and provide targeted training to individuals who are tricked by these campaigns.