Dropbox used to steal credentials and bypass multi-factor authentication in phishing campaign


A new phishing campaign exploited legitimate Dropbox infrastructure and successfully bypassed multi-factor authentication (MFA) protocols, a new study from Darktrace has revealed.

The attack highlights the growing exploitation of legitimate popular services to trick targets into downloading malware and revealing their login credentials.

The results also show how well attackers are able to bypass standard security protocols, including email detection tools and MFA.

Talk to Information securityHanah Darley, head of threat research at Darktrace, noted that while it’s common for attackers to exploit users’ trust in specific services by mimicking normal emails they receive, in this case, the threat actor(s) went further. and leveraged the legitimate cloud storage platform Dropbox to carry out their phishing attacks.

Attackers exploited Dropbox infrastructure

Attackers targeted a Darktrace customer on January 25, 2024, with 16 internal users in the organization’s SaaS environment receiving an email from “no-reply@dropbox(.)com.” This is a legitimate email address used by the file storage service Dropbox.

The email contained a link that would take the user to a PDF file hosted on Dropbox, which apparently bore the name of a partner of the organization.

This PDF file contained a suspicious link to a domain that had never been seen before in the client’s environment, named “mmv-security(.)top”.

The researchers noted that there is “very little to distinguish” malicious or innocuous emails from automated emails used by legitimate services such as Dropbox. Therefore, this approach is effective in evading email security tools and convincing targets to click on a malicious link.

This email was detected and retained by Darktace’s email security tool. However, on January 29, a user received another email from the legitimate authority. no response@dropbox(.)com address, reminding them to open the previously shared PDF file.

Although the message was moved to the user’s junk file, the employee then opened the suspicious email and followed the link to the PDF file. The internal device connected to the malicious mmv-security(.)top link a few days later.

This link led to a fake Microsoft 365 login page, designed to harvest the credentials of legitimate SaaS account holders.

The researchers added that impersonating trusted organizations like Microsoft is an effective way to appear legitimate to targets.

The attackers managed to bypass the MFA

On January 31, Darktrace observed several suspicious SaaS logins from several unusual locations that had never accessed the account before.

The subsequent unusual connections on February 1 were associated with ExpressVPN, indicating that the bad actors used a virtual private network (VPN) to hide their real location.

These logins appeared to use a valid MFA token, suggesting that the attackers had successfully bypassed the organization’s MFA policy.

Researchers believe the employee may have unknowingly approved an MFA request on their own device once they compromised the credentials.

“By using valid tokens and meeting the necessary MFA requirements, malicious actors are often able to remain undetected by traditional security tools that view MFA as the silver bullet,” the researchers wrote.

Although the attackers bypassed MFA with legitimate credentials, the organization’s security team was still alerted to the suspicious activity after identifying unexpected activity on SaaS accounts.

Darley said Information security that the incident demonstrates that organizations can no longer rely on MFA as the last line of defense against cyber attackers.

“Bypassing MFA authentication, as in this case, is now a frequently used tactic by attackers – especially given its success in granting access to shared resources such as SharePoint files that can be exploited” , she stressed.

Threat actor shows perseverance

Shortly after the MFA bypass, Darktrace observed another unusual connection to the SaaS account, using the HideMyAss VPN service.

On this occasion, the threat actor created a new email rule on the compromised Outlook account, intended to immediately move all emails from the organization’s accounts team directly to the “mailbox” folder. Conversation History”.

Researchers said this approach is designed to avoid detection – by moving their malicious emails and their replies to less frequently visited mailbox folders.

Additionally, the actor sent follow-up emails with subject lines like “Incorrect Contract” and “Requires Urgent Review.”

“This likely represented malicious actors using the compromised account to send additional malicious emails to the organization’s accounts team to infect additional accounts in the customer’s SaaS environment,” the researchers noted .

Phishing attacks are targeted and sophisticated

The researchers noted that it is “relatively simple” for attackers to abuse legitimate third-party solutions like Dropbox for phishing attacks, rather than relying on their own infrastructure.

Darley commented: “The case study highlights how sophisticated cybercriminals are becoming in carrying out attacks in stages. The emails themselves came from a legitimate Dropbox “no reply” address that typically sent notifications or links to customers.

“The link in the email also pointed to a legitimate Dropbox storage endpoint, where a malicious file was hosted. It was disguised as a partner document, making the emails appear legitimate,” she added.

Generative AI assists attackers

Darley highlighted that generative AI technologies are having a huge impact in allowing attackers to create more sophisticated phishing messages.

Darktrace End of Year Threat Report 2023 found that more than 25% of phishing cases observed in the second half of 2023 contained more than 1,000 characters, which is largely due to the capabilities provided by generative AI.

“These are not emails with just a few words and a questionable link, but rather very elaborate and wordy emails. There are also cases of enhanced social engineering in which attackers engage in existing conversation threads, impersonating known colleagues or contacts, attempting to imitate the tone of the correspondence,” Darley explained.

“These instances of greater sophistication are enabled by generative AI, which gives bad actors more time to spend more time strategizing on larger-scale attacks,” she added .

Image credit: Nopparat Khokthong / Shutterstock.com

Leave a comment