News

Inside Dropbox and Microsoft Office phishing attacks | Salted Hash, Ep. SC03

In this week's video, we look at a Microsoft Office phishing attack that leverages Dropbox as the lure.

Salted Hash
An inside look at hybrid Office 365 phishing attacks | Salted Hash Ep 41   (10:04)
Closed Captioning Closed captioning available on our YouTube channel
More for you to like:
salted hash thumbnail final
Scammers spoof Office 365, DocuSign and others | Salted Hash Ep 21 Scammers spoof Office 365,... (16:48)
salted hash thumbnail final
GDPR deadline looms: The price and penalties | Salted Hash Ep 20 GDPR deadline looms: The price and... (13:31)
salted hash thumbnail final
Ransomware: Do you pay the ransom? | Salted Hash Ep 19 Ransomware: Do you pay the ransom?...
salted hash thumbnail final
Managing open-source mobile security and privacy for activists worldwide | Salted Hash Ep 18 Managing open-source mobile... (15:52)
SHEp17
Spectre and Meltdown | Salted Hash Ep 17 Spectre and Meltdown | Salted Hash... (15:06)
sequence 01.00 29 58 30.still001
Ready for the EU's GDPR compliance deadline? Many companies aren't | Salted Hash Ep 16 Ready for the EU's GDPR compliance... (22:47)
In this episode, Steve Ragan shows what a hybrid phishing attack looks like as it starts off on one service, and quickly moves to another.

Today on Salted Hash, we're going to look at a phishing attack that targeted me directly. It's got a few interesting elements, including a weak attempt to spoof an HTTPS connection, and a sort of hybrid lure, which starts as Dropbox but ends at Microsoft Office.

Top targets

Microsoft is a popular target with criminals, especially when it comes to phishing. If a criminal can compromise your Microsoft Office account, they have a good deal of leverage over your professional life, and it gets worse if your Microsoft Office password is used on other services (it happens, and criminals do check for this).

Email security vendor Vade Secure recently published a list of the top brands spoofed by phishing attacks, and Microsoft topped the list. This is notable because PayPal is usually in the top spot. According to Vade Secure's list, Microsoft held the number one position by more than 40 percent. PayPal drops to second, followed by Facebook, Netflix, Wells Fargo, Bank of America, DocuSign, Dropbox, DHL, and Apple to round out the top ten.

Hybrid phishing

Back in May, my spam trap got an unusual email. It was addressed to me, and offered a Dropbox invite to an Excel file. However, because I read my email in plain text, the visual cues normally leveraged in these types of attacks were lost on me.

dropbox office phishing no html Steve Ragan

I did notice, though, that the landing link in the email pretended to be an HTTPS connection by using sub-domains. Further investigation of the link revealed that it wasn't a Dropbox attack, but a Microsoft Office attack, designed to compromise my Microsoft Office credentials. Moreover, it was using a phishing kit I'd seen before.

dropbox office phishing html rendered Steve Ragan

As the video shows, clicking the Excel icon in the email launches the browser and takes the victim to a website that appears to have HTTPS, which is something most people now know to look for. Yet, it isn't actually HTTPS.

If the victim were to fall for the scam, the login page would harvest their username and password (twice) and then redirect them to the legitimate Microsoft portal.

Another interesting aspect to this attack was the follow-up that happened two days later. Different domain and file attachment, but it was the same scam.

Tips and tricks

Emails like this are looking to play on your curiosity and familiarity with Dropbox and Excel files. Business users deal with such files and services all the time. While basic, the scam works because if you're not paying attention you recognize the basic Dropbox format and move on from there.

The use of a sub-domain to spoof HTTPS isn't new, but it does work sometimes, so criminals don't hesitate when it comes to using it. Lately, though, they register for free SSL certificates, so the old adage of "don't trust a website unless you see HTTPS" isn't as valuable as it used to be.

When it comes to scams like this the best advice is to slow down and consider the source. Were you expecting a file? Do you know the sender? If so, call them and confirm. If not, sometimes it's best to play it safe and avoid clicking links and opening attachments. If you're at work, forward the email to IT and ask them for assistance.

Related:

Steve Ragan is senior staff writer at CSO. Prior to joining the journalism world in 2005, Steve spent 15 years as a freelance IT contractor focused on infrastructure management and security.

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)