A targeted spearphishing campaign has hit an organization in the energy sector – after using a savvy trick to get around the company’s Microsoft email security stack.
According to Aaron Riley, a researcher from Cofense, the campaign impersonated the CEO of the targeted company, sending email via Google Drive purporting to be “sharing an important message” with the recipients.
The email was legitimately sent by Google Drive to employees – but it had one big “tell” – the email address didn’t fit the email naming convention of the targeted company. But most employees wouldn’t take the time to check that, Riley pointed out.
“By using an authentic service, this phishing campaign was able to bypass Microsoft Exchange Online Protection and make its way to the end user,” he explained in a writeup posted this week. “The technique of using Google Drive to disseminate a phishing email helps bypass email security measures because of the difficulty of blocking a legitimate business service.”
Further, the link within the email body links to an actual Google Drive share with documents to download – and the Microsoft email body inspection tool does not examine where the user may be taken after clicking the non-malicious Google Drive link.
“Even if the security appliance were able to look past the initial link, the secondary links would not be shown in Google Drive as documents unless they are downloaded or viewed through the file browser,” said Riley.
And even then, once a user accessed a document on Google Drive, nothing immediately occurred that was malicious. Targets were given an explanation of a public business decision by the “CEO” and then asked to view a related document via another link.
If users opened that link inside the Google Drive document, they were redirected to a fake login page that had been recently domain-registered; once victims entered their credentials, they were exfiltrated back to the attacker.
“The document used in this campaign was highly tailored to the targeted energy sector company,” Riley said. “The key information used in their social engineering template included the CEO’s name, the business decision and the company logo.”
That said, employees trained to look for red flags may have stopped the attack from being successful; in addition to the supposed CEO’s email address being wrong, the information on the “business decision” was outdated by a year. And, two sentences in the Google Drive document sport poor English: “Grateful to you for your endless help of Enhancing our Organization”; and, “Note: The message is of high Importance that all Employees must access shared online link.”
Riley noted that the exact same sentences were seen in a similar phishing campaign targeting universities, indicating that the adversary has a known playbook, which will make future phishes easier to spot.
As for bypassing the email protections, there’s not much to be done, Riley pointed out, because of the nature of Google Drive and how organizations use it. However, network content filtering appliances that block newly registered domains could help, according to the researcher.
“This security mechanism would have stopped the end user from getting to the fake login page because of the registration date of the website,” he wrote. “[But] even if a network security appliance with the capabilities to stop the user from getting to the login page was used, the phishing email still got through.”
Three-quarters (75 percent) of threats reported to the Cofense Phishing Defense Center are credential-phishing attempts, Cofense found in its 2019 Phishing Threats report – indicating that attacks like these are unlikely to ebb anytime soon.
Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.