As businesses increasingly adopted cloud services in response to the pandemic, phishing techniques have rapidly adapted to capitalize on vulnerable targets working remotely. The novelty of conducting business through the cloud is exposing users to hybrid phishing attempts that utilize a traditional email approach with an exploited cloud services component.
According to our July 2021 Cloud and Threat Report, 68% of malware is now delivered from cloud apps, with Google Drive and Microsoft OneDrive constantly fighting for first position on the list of the cloud apps abused to deliver the most malicious content, including phishing baits and malware. In general, two-thirds (66.4%) of this cloud-native malware was delivered using cloud storage apps in Q2 2021, followed by collaboration apps (8.5%) and development tools (7.8%). Despite cloud storage becoming the ideal place to store and distribute malicious content, attackers are increasingly abusing chat apps and code repositories to monetize these tools' growing popularity and adoption within the distributed workforce.
The distribution of the workforce is offering an additional opportunity to the bad guys. Before the pandemic, approximately just 30% of employees worked remotely; this has now jumped to 70%. Consequently, cloud apps are no longer a “necessary evil” (a new set of tools imposed by a business to continue working through lockdowns) but precious allies that offer a flexible and familiar environment that boosts agile productivity and collaboration across the enterprise.
But there is always another side to the coin. The familiarity with cloud apps presents an additional vantage point to attackers (in this article, we discuss the role of the infrastructure in a malicious campaign). A malicious campaign launched from an environment the victim is familiar with adds a greater degree of legitimacy to the attack and, in turn, increases the chance to bypass the human firewall. For example, the attackers can send a well-crafted phishing email that references the exploited cloud service from where the malicious payload is delivered, adding an additional reason to lure the designated victim to click on the link or open the attachment (according to our July Cloud Threats report, Office documents now account for 43% of all malware downloads, up from 20% at the start of 2020).
"A malicious campaign launched from an environment the victim is familiar with adds a greater degree of legitimacy to the attack"
Even worse, some cloud services are exploited to host and deliver malicious payloads (for example, Google Workplace), providing the tools to send out the phishing email from the same platform. For example, a common technique now is to create the rogue login page via a Google Form and share it via Gmail. The attacker can easily register an account or, even better, abuse a compromised one. Obviously, a link distributing a malicious payload from a legitimate cloud service has a better possibility of bypassing the email security gateways (this happens in general even if the initial phishing email hasn’t been sent from the same cloud service). This is not so different from what happens to a legacy web security gateway if the malicious traffic can access the phishing page or the request to retrieve the malware payload is directed to a trusted service. Legacy web security technologies can’t recognize the context of the connection and differentiate if it is connecting to a legitimate destination or a rogue one controlled by the attackers.
A “Crafty” Example
A recent “crafty” phishing campaign was discovered by Microsoft at the end of July and provides an example of how these aspects can be mixed “to try and slip through email filters.” We call these kinds of campaigns “hybrid threats” since they combine a traditional attack vector with the exploitation of a cloud service throughout the attack chain. In this specific case, the traditional vector was a phishing email with a spoofed display sender address. In contrast, “modern” vectors are the two legitimate cloud services exploited respectively to host the Office 365 phishing page (Google App Engine) to add more legitimacy to the phishing email (Microsoft SharePoint). Google App Engine is powerful enough to create elaborate phishing pages, while SharePoint’s contribution makes the victim believe that the email is legitimate. Not only does the email have a layout that matches the OneDrive theme and recalls SharePoint in the display name, but it also includes a link in the notification settings that points to a compromised instance of SharePoint (again a sign of legitimacy for email security gateways). This latter element also demonstrates why cloud accounts are a primary target for cyber-criminals; not only do they give access to the corporate data, but also, once compromised, they can be exploited to launch additional attacks.
"There is no better incentive than money to entice someone to click on a malicious link"
Finally, there is no better incentive than money to entice someone to click on a malicious link. This campaign is no exception as the message is disguised as a "file share" request for supposed "staff reports," "bonuses," "pricebooks," and other similar content that plays on the emotional side of the victim. There’s no need to say that there are no staff reports or bonuses, just a link that points to the phishing page.
Protecting the Organization from Hybrid Threats
Threat actors are quickly adapting to the new trends and are even anticipating them in some cases. Legacy security technologies are falling short in this threat landscape, where nearly 90% of the web traffic is encrypted, and cloud services account for 85% of the enterprise traffic. Organizations are urged to move from content-based to a context-based cloud-delivered security model where encrypted cloud and web traffic is inspected at scale. Additionally, the traditional functions of threat protection and data protection are enforced with a full understanding of the context thanks to the possibility to interpret the language of the API, the native language of the cloud.
User coaching and education is the other element of the protection strategy. It’s undoubtedly a good thing for enterprises that employees have become completely familiar and at ease with cloud applications, and therefore able to unleash their full collaboration power. However, it’s always necessary to maintain the proper awareness of potential new threats that could help find the misplaced detail when a phishing email hits the inbox.