A fresh tactic for phishing Office 365 users employs credential-harvesting forms hosted on Azure Blob storage – signed with legitimate Microsoft SSL certificates to lend an air of legitimacy.
Azure Blob Storage is a cloud storage solution for hosting unstructured data such as images, video or text. The storage can be accessed using both HTTP and HTTPS connections, and when using HTTPS, a signed SSL certificate from Microsoft will be displayed.
According to Netskope, a recent phishing attack saw attackers sending spam with PDF attachments, which were disguised as documents of a law firm in Denver. The file name displayed “Scan files…, please review,” and the email contained a download button with a link.
When the user clicks on the button, they’re directed to an HTML page that appears to be the Office 365 login form stored in the Microsoft Azure Blob storage solution. There’s very little to tip off the recipient that the link is malicious; the address is a valid Blob address (containing “blob.core.windows.net” in the URK), and it’s marked as a secure site thanks to the SSL certificate. Even if the user checks the certificate, he or she will see a signature issued by Microsoft IT TLS CA 5.
Once the user enters the login information, the information is whisked away to the attacker, while the page will claim to be “preparing the download” of the supposed legal documents. Eventually, it redirects the user to a Microsoft SharePoint product page.
This particular attack instance observed by Netskope was a very targeted attack, but the firm has seen an increase in gambits just like it within the last two months – at least 10 campaigns, according to Ashwin Vamshi, security researcher at Netskope.
“We expect such attacks to likely get more sophisticated and grow in popularity among threat actors because the combination of the Microsoft domain, certificate and content make this bait particularly convincing and difficult to recognize as phishing,” he told Threatpost, in an interview.
Propagation could increase as well thanks to what Netskope calls the “cloud-phishing fan-out effect.”
“In simple terms, ‘fan-out effect’ refers to a malicious artefact (file/email) being shared with a group of users via trusted means (an IT-sanctioned application or shared cloud storage folder), thus increasing the attack scope instantly,” said Vamshi. “The results in the occurrence of a secondary propagation vector when a victim inadvertently shares the phishing document (often email attachments that are saved to cloud storage services) with colleagues, whether internal or external, via a cloud service.”
When this sharing occurs, the second recipient is more likely to trust the file as though it was created by the first recipient of the attack attachment. As this propagates to additional users, the number of users potentially affected by the phishing attack can increase exponentially.
“Enterprise security teams have largely turned a blind eye to the cloud being a new threat vector,” Vamshi said. “Cloud services are built for increased collaboration and productivity, and provide capabilities like auto-sync and API-level communication; these capabilities also help attackers quickly propagate an attack within an environment. In addition, users access cloud services from any location and any device, making it difficult to not only determine attacks but also to remediate them.”
Organizations can combat this cloud phishing gambit – which Vamshi said represents an innovative new approach on the cybercrime scene – by educating users about non-standard web addresses for Azure, Google and Amazon Web Services, so they can recognize these and know they’re not an official Microsoft domain.
“Traditional security awareness trainings have not evolved to address the modern usage of cloud; most end users are savvy enough now to understand that links that include random IP addresses or suspicious sounding domain names should not be clicked on, but they don’t have a similar awareness of risk associated with cloud services,” Vamshi told us. “It is always a best practice to check the domain of the link and compare them with the domains typically used for logging in to sensitive services.”
For instance, in the attack detailed here, users in the know about cloud addresses could recognize that the phishing site (https://onedriveunbound80343[.]blob.core.windows.net/exceltyrantship68694/excel-login-1.html) is hosted in Azure Blob storage, and is therefore not an official Microsoft website.
He added that attacks such as this also highlight the need for other best practices: Enterprises to understand the shared responsibility model and identify security controls they’re responsible for; evaluate gaps in security controls created by adoption of cloud; protect against new evasion techniques leveraged by attackers; and educate security professionals as well as end users on safe usage of cloud.