Cybercriminals impersonate popular file sharing services to take over email accounts

The chances of you opening, clicking or downloading a document sent from a colleague or friend are much higher than acting on an email from someone you don’t know. Cybercriminals know this well, which is why they are sending attacks to the friends and colleagues of compromised account owners.  

Based on some of the recent threat activity we’re seeing, criminals are regularly using file sharing document emails (such as OneDrive and other popular services) to initiate attacks from hijacked accounts. Here’s what we know about these scams, and some ways your organization can be sure to avoid them:

Baiting the targets

In order for cybercriminals to take over an email account, they first need the credentials. Unfortunately, with today’s cunning phishing methods, this can happen without the victim ever noticing. For example, many times employees will unknowingly follow a phishing link from an attacker, which prompts them to enter their credentials into a fake sign in page of Office 365, G-Suite or other popular web services. Note that these types of phishing emails are often not detected by existing email security solutions because the fake sign in page is often hosted on a compromised website, which has a high reputation. Criminals also know to target mid to low-level employees that haven’t had in-depth security and awareness training, in hopes that the targets don’t know that this type of initial phishing attack even exists.

Once attackers take over an account, they will use that account to send emails to other colleagues— sometimes even hundreds of people. These messages are usually just quick innocuous notes that include a link or shared document. However, if any recipients click on the link or open the document, they will be taken to a fake sign-in page where they will be asked to enter their credentials. If they move forward and submit their credentials, their accounts will be taken over by the criminals as well.

Why do criminals value compromised email accounts?

Criminals value access to compromised email accounts of reputable organizations, which can be sold on the black market to launch additional phishing campaigns. High-reputation domains give criminals the best chance for successful attacks and can be used to conduct targeted spear phishing or executive level fraud attacks. In these attacks, cybercriminals will send an email from the compromised account with the goal of tricking the recipient (often a finance department employee) into sending a wire transfer to a bank account owned by the attacker. Billions of dollars have been lost due to spear phishing attacks for wire fraud and organizations continue to fall victim to cybercriminals using these methods.

There are many variations of phishing emails that attackers use to steal credentials. One of the variants growing in popularity involves a phishing email that includes a OneDrive share link (file sharing) in the body of the note. OneDrive is just one of the services we’ve seen spoofed, but these attacks aren’t specific to that service alone—it’s just one of the ways criminals are getting the attention of users.

Using file sharing services to propagate attacks

In the instances where criminals are using OneDrive share links, when clicked the link will lead recipients to a fake sign-in page that’s also used to capture user credentials.

In this particular attack variant, we’ve seen criminals log in multiple times to the compromised user’s account and gather additional targets from their address book. They then send out emails to both employees and external contacts.

This attack can snowball quickly depending on how many accounts are taken over and like with most account takeover attacks—traditional email security solutions won’t detect these attacks because they originate from internal sources.

What can be done to stop the bleeding?

There are some key technologies and approaches that can help stop and prevent attacks like these spreading through an organization.

Using AI to protect internal communications

The new generation of email security solutions can detect anomalies within internal email communications and automatically prevent account take over. Ideally, such a solution leverages AI to detect anomalous employee communication and leverages this information to prevent future spear phishing attacks from emails that originate from within the company.

DMARC for domain fraud visibility

Domain message authentication reporting and conformance (DMARC) is also a leading technology in stopping attacks such as these as it guards against domain spoofing and brand hijacking. Since these attackers will spoof brands such as Outlook and many others to trick users into giving up credentials, DMARC for domain fraud visibility can stop employees from willingly giving up their password before their email account is compromised.

User training and awareness

It is essential that employees at every level are trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training for phishing, impersonation and spear phishing attack prevention. Employees should be trained and tested on email, voicemail and SMS to help them spot cyberattack attempts. Training is historically reserved for the executive level and high-risk individuals, but today the rest of the organization must be included in this process or attacks such as these can infiltrate an organization very quickly.