Inside Dropbox and Microsoft Office phishing attacks | Salted Hash, Ep. SC03

In this week's video, we look at a Microsoft Office phishing attack that leverages Dropbox as the lure.

Today on Salted Hash, we're going to look at a phishing attack that targeted me directly. It's got a few interesting elements, including a weak attempt to spoof an HTTPS connection, and a sort of hybrid lure, which starts as Dropbox but ends at Microsoft Office.

Top targets

Microsoft is a popular target with criminals, especially when it comes to phishing. If a criminal can compromise your Microsoft Office account, they have a good deal of leverage over your professional life, and it gets worse if your Microsoft Office password is used on other services (it happens, and criminals do check for this).

Email security vendor Vade Secure recently published a list of the top brands spoofed by phishing attacks, and Microsoft topped the list. This is notable because PayPal is usually in the top spot. According to Vade Secure's list, Microsoft held the number one position by more than 40 percent. PayPal drops to second, followed by Facebook, Netflix, Wells Fargo, Bank of America, DocuSign, Dropbox, DHL, and Apple to round out the top ten.

Hybrid phishing

Back in May, my spam trap got an unusual email. It was addressed to me, and offered a Dropbox invite to an Excel file. However, because I read my email in plain text, the visual cues normally leveraged in these types of attacks were lost on me.

dropbox office phishing no html Steve Ragan

I did notice, though, that the landing link in the email pretended to be an HTTPS connection by using sub-domains. Further investigation of the link revealed that it wasn't a Dropbox attack, but a Microsoft Office attack, designed to compromise my Microsoft Office credentials. Moreover, it was using a phishing kit I'd seen before.

dropbox office phishing html rendered Steve Ragan

As the video shows, clicking the Excel icon in the email launches the browser and takes the victim to a website that appears to have HTTPS, which is something most people now know to look for. Yet, it isn't actually HTTPS.

If the victim were to fall for the scam, the login page would harvest their username and password (twice) and then redirect them to the legitimate Microsoft portal.

Another interesting aspect to this attack was the follow-up that happened two days later. Different domain and file attachment, but it was the same scam.

Tips and tricks

Emails like this are looking to play on your curiosity and familiarity with Dropbox and Excel files. Business users deal with such files and services all the time. While basic, the scam works because if you're not paying attention you recognize the basic Dropbox format and move on from there.

The use of a sub-domain to spoof HTTPS isn't new, but it does work sometimes, so criminals don't hesitate when it comes to using it. Lately, though, they register for free SSL certificates, so the old adage of "don't trust a website unless you see HTTPS" isn't as valuable as it used to be.

When it comes to scams like this the best advice is to slow down and consider the source. Were you expecting a file? Do you know the sender? If so, call them and confirm. If not, sometimes it's best to play it safe and avoid clicking links and opening attachments. If you're at work, forward the email to IT and ask them for assistance.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.