Microsoft: Creative Abuse of Cloud Files Bolsters BEC Attacks

Threat actors are upping the ante on business email compromise (BEC) campaigns by combining social engineering with the use of legitimate, cloud-based file-hosting services to create more convincing attacks; the campaigns bypass common security protections and ultimately compromise the identity of enterprise users.

Since April, Microsoft has seen a rise in campaigns that have emerged over the past two years in which attackers weaponize legitimate file-sharing services like Dropbox, OneDrive, or SharePoint, which many enterprises use for workforce collaboration, Microsoft Threat Intelligence warned this week.

"The widespread use of such services … makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures," according to the Microsoft Threat Intelligence blog post.

Attackers are combining their use with social engineering in campaigns that target trusted parties in a business user's network, and base lures on familiar conversation topics. Threat actors are thus successfully phishing credentials for business accounts, which they then use to conduct further malicious activity, such as financial fraud, data exfiltration, and lateral movement to endpoints.

Trusted cloud services are an increasingly weak enterprise security link. Indeed, various researchers have discovered attackers — including advanced persistent threat (APT) groups — using legitimate file-sharing services to deliver remote access Trojans (RATs) and spyware, among other malicious activity.

A Typical BEC Attack Scenario

According to Microsoft, A common attack scenario begins with the compromise of a user within an enterprise. The threat actor then uses that victim's credentials to host a file on that organization's file-hosting service and share it with the real target: those within an external organization that have trusted ties to the victim.

Attackers are specifically using Dropbox, OneDrive, or SharePoint files with either restricted access or view-only restrictions to evade common detection systems and provide a launching pad for credential-harvesting activity. The former "requires the recipient to be signed in to the file-sharing service … or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service," establishing a trust relationship with the content. The latter can bypass analysis by email detonation systems, by "disabling the ability to download and consequently, the detection of embedded URLs within the files," according to Microsoft. "These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted."

To further ensure this bypass, attackers also use other techniques, including only allowing the intended recipient to view the file, or making the file accessible only for a limited time.

"This misuse of legitimate file-hosting services is particularly effective because recipients are more likely to trust emails from known vendors," according to Microsoft. Indeed, users from trusted vendors are added to allow lists through policies set by the organization on collaboration products used with the service, such as Exchange Online, so emails that are linked to phishing attacks pass through undetected.

After the files are shared on the hosting service, the targeted business user receives an automated email notification with a link to access the file securely. This is a legitimate notification about activity on the file-sharing service, so the email bypasses any protections that might have blocked a suspicious message.

Adversary-in-the-Middle; Leveraging Familiarity

When the targeted user accesses the shared file, he or she is prompted to verify identity by providing their email address, after which the address [email protected][.]com sends a one-time password that the user can input to view the document.

That document often masquerades as a preview with another link purporting to allow the user to "view the message," according to Microsoft. However, it actually redirects the user to an adversary-in-the-middle (AiTM) phishing page that prompts the user is prompted to provide the password and complete the multifactor authentication (MFA) challenge.

"The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign," according to Microsoft.

Hosted files typically use lures to subject matter that would be a familiar topic or use familiar context based on an existing conversation held between employees of the organizations that the threat actor would be able to access thanks to the prior compromise of the anchor victim. For example, if two organizations have prior interactions related to an audit, the malicious shared files could be named "Audit Report 2024," according to Microsoft.

Attackers also leverage the oft-used psychological tactic of urgency to lure users into opening malicious files, using file names such as "Urgent:Attention Required" and "Compromised Password Reset" to get people to take the bait.

Detecting Suspicious File-Sharing

With these highly sophisticated BEC campaigns that neither users nor traditional email security systems detect on the rise, Microsoft recommends that enterprises use extended detection and response (XDR) systems to query for suspicious activity related to BEC campaigns that use legitimate file-sharing services.

Such queries could include identifying files with similar-sounding or the same file names that have been shared with various users. "Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection," according to Microsoft

Defenders also can use identity-focused queries related to sign-ins from VPS or VPN providers, or successful sign-ins from a non-compliant device, "to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor," according to the post.