New Generation of Phishing Hides Behind Trusted Services


The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible.

Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware.

SaaS to SaaS Phishing

Instead of building phishing pages from scratch, cyber criminals are increasingly turning to established SaaS platforms to execute their malware schemes. By utilizing legitimate domains to host their phishing campaigns, it’s more challenging for detection engines to identify them. And since SaaS platforms require minimal technical expertise, it’s easier for novice hackers to launch attacks.

The number of phishing URLs hosted on legitimate SaaS platforms has increased at an alarming rate. From June 2021 through June 2022, the rate of newly detected phishing URLs hosted on legitimate SaaS platforms has increased by over 1100%, according to Palo Alto’s Unit 42.

Cyber criminals take advantage of cloud-based SaaS platforms to launch phishing attacks without ever needing to access the victims’ on-premises computers or networks, as HackerNoon cyber expert Zen Chan points out. Chan says that SaaS-based phishing makes it difficult for traditional security measures, such as anti-spam gateways, sandboxing and URL filtering, to detect and flag these malicious activities. With the increasing use of cloud-based office productivity and collaboration tools, attackers can now easily host and share malicious documents, files and malware on reputable domains.

The magnitude of the problem becomes clear when we consider that malicious downloads might originate from platforms such as Google Drive or DropBox. In these places, malware is easy to disguise as a picture, invoice image, PDF or important work file. The problem is that in cloud storage, the files are encrypted, which enables security tool evasion. And the malicious files are only decrypted on the victim’s machine, as explained by CheckPoint researchers.

Examples of SaaS platforms used in phishing campaigns include:

  • File sharing
  • Form builders
  • Website builders
  • Note-taking/collaboration tools
  • Design/prototyping/wireframe
  • Personal branding.

Phishing Leveraging Azure

In a recent report, Microsoft’s threat analysts detected another type of sophisticated phishing scheme. This campaign employed compromised login information to enroll rogue devices on a targeted network. The infiltrated devices were then utilized to propagate phishing emails. It appears the attacks were successful primarily on accounts that lacked MFA security, making them more vulnerable to takeover.

The attackers employed a DocuSign-themed email tactic, which lured recipients to click on a link to review and sign a document, thereby exposing their login information.

Source: Microsoft

Actors utilized embedded links in the fake DocuSign emails that directed victims to a phishing website. These mimicked the Office 365 login page, complete with pre-filled usernames for added credibility.

Microsoft’s telemetry data revealed that the initial attacks focused on firms in Australia, Singapore, Indonesia and Thailand. It appears that the actors were primarily targeting remote workers, as well as poorly protected managed service points and other infrastructure that may operate outside strict security protocols.

The Next Stage of the Attack

Microsoft’s security team was able to detect the threat by identifying unusual patterns in the creation of inbox rules. Attackers added these rules immediately after gaining control of an inbox. Apparently, the attackers had compromised over a hundred mailboxes across multiple organizations, using malicious mailbox rules named “Spam Filter”. This enabled actors to maintain control over the compromised mailboxes and use them for phishing and other malicious activities.

Using the stolen credentials, the intruders were able to gain access to the victim’s email account by installing Outlook on their own machine and logging in using the compromised credentials. From there, the attacker’s device automatically connected to the company’s Azure Active Directory due to the acceptance of Outlook’s first launch experience. Microsoft points out that an MFA policy in Azure AD would have prevented this rogue registration from occurring.

Once the attacker’s device accessed the victim’s network, the intruders began the second phase of their campaign. They sent phishing emails to employees of the targeted firm, as well as external targets such as contractors, suppliers or partners. As these phishing messages originate from within a trusted workspace, they carry an element of legitimacy, and security solutions are less likely to flag them.

Phishing Leveraging Amazon Web Services

Cyber criminals are also using Amazon Web Services (AWS) to bypass automated security scanners and launch phishing attacks, as per Avanan. Actors have leveraged the ability to use an AWS service to create and host web pages using WordPress or custom code. From there, they can send phishing messages that carry the AWS name to corporate email systems. This enables the emails to evade scanners that would typically block such messages and adds an extra layer of legitimacy to deceive victims.

Another recently highlighted phishing campaign leverages AWS and employs unusual syntax construction in the messages to evade scanners. Email services that rely on static Allow or Block Lists to secure email content are not immune to these attacks. These services evaluate whether a website is safe or not. But Amazon Web Services is too large and prevalent to block, so scanners will always mark it as safe.

It’s not uncommon for attackers to piggyback on well-known brand names for phishing campaigns. Avanan has reported that attackers have used QuickBooks, PayPal and Google Docs to increase the chances of their messages landing in the inbox.

Phishing With QR Codes

Last but not least, Zen Chan also shed light on another type of phishing attack called QRishing. These attacks embed malware links in QR codes included in emails. This makes them difficult to detect for most email security solutions. QRishing can also potentially lead victims to connect to an unsecured WiFi network, allowing attackers to capture sensitive information.

Today, people use QR codes to access menus, check-in for health services and access public or organizational information. But rogue QR codes are also on the rise. Criminals can even print malicious QR codes on a sticker to overlay legitimate QR codes.

To make things even more complex, attackers are using social engineering tactics by inserting fake QR codes into phishing text messages (SMishing plus QRishing) or social media platforms. When scanned, these infected codes redirect victims to phishing sites, where they may be prompted to enter login credentials which can then be stolen by the attackers.

No End to Phishing in Sight

The phishing attack frenzy does not appear to be letting up soon. Hypervigilance is essential. It’s worth it for organizations to train and re-train their teams to spot phishing attempts. Additionally, advanced security solutions, such as zero trust, will become more prevalent as verification of users, devices, context and permissions will all be needed to keep invaders at bay.

The post New Generation of Phishing Hides Behind Trusted Services appeared first on Security Intelligence.