Scammers are increasingly exploiting file sharing sites such as Google Docs and Microsoft Sway to steal user credentials, according to Barracuda Networks.

Phishing campaigns can trick even seasoned and smart users by cleverly impersonating well-known companies, brands, and products. As organizations increasingly rely on cloud-based file sharing and collaboration tools, companies such as Google and Microsoft are especially tempting targets for criminals to spoof. A report released Thursday by security firm Barracuda Networks shows how these types of attacks work and how organizations can combat them.

In form-based phishing attacks, scammers leverage sites such as Google Docs and Microsoft Sway to trap victims into revealing their login credentials. The initial phishing email typically contains a link to one of these legitimate sites, which is why these attacks can be difficult to detect and prevent.

Among the nearly 100,000 form-based attacks that Barracuda detected over the first four months of 2020, Google file sharing and storage sites were used in 65% of them. These attacks included such sites as storage.googleapis.com, docs.google.com, storage.cloud.google.com, and drive.google.com. Microsoft brands were spoofed in 13% of the attacks, exploiting such sites as onedrive.live.com, sway.office.com, and forms.office.com. Beyond Google and Microsoft, other sites spoofed in these attacks were sendgrid.net, mailchimp.com, and formcrafts.com.

In its report, Barracuda described three tactics used by attackers in these particular phishing campaigns.

Using legitimate sites as intermediaries. In this case, criminals try to spoof emails that seem to have been creating automatically through file sharing sites such as Microsoft OneDrive. The emails contain links that take users to a legitimate site such as sway.office.com. But that site then leads the victim to a phishing page prompting for login credentials.

threat-spotlight-tactic-1-barracuda.jpg
Image: Barracuda Networks

Creating online forms for phishing. In this instance, criminals create an online form using a service such as forms.office.com and then links to that form from the initial phishing emails. Spoofing the login page of a legitimate site, the form tries to harvest the user’s account credentials. The malicious page contains links to legitimate websites. However, the linked domains typically are not ones that would request account verification or password changes.  

threat-spotlight-tactic-2-barracuda.jpg
Image: Barracuda Networks

Getting access to accounts without passwords. In this case, attackers can access user accounts without having to capture their credentials. The initial phishing email contains a link to what appears to be a legitimate login page. But the link actually contains a request for an access token for an app. After entering their account credentials, the user receives a list of app permissions to accept. By accepting these permission, the victim doesn’t have to reveal any passwords but instead gives the attacker’s app an access token to use the same credentials to access the account.

Such attacks are especially nasty as they can get around two-factor authentication and go undetected for a long time. Though Microsoft has since disabled the specific app used in this attack, the overall tactic is still around, according to Barracuda.

threat-spotlight-tactic-3-barracuda.jpg
Image: Barracuda Networks

To help your organization defend itself against these types of phishing attacks, Barracuda offers the following recommendations:

  • API-based inbox defense.Cybercriminals are adjusting their tactics to bypass email gateways and spam filters, so you need a solution that uses artificial intelligence to detect and block attacks such as account takeovers and domain impersonations. Deploy technology that uses machine learning to analyze normal communication patterns within your organization instead of relying solely on looking for malicious links or attachments. This allows the solution to spot anomalies that may indicate an attack.
  • Deploy multi-factor authentication.Multifactor authentication (MFA), two-factor authentication, and two-step verification all provide an additional layer of security beyond usernames and passwords, such as authentication codes, thumb prints, or retinal scans.
  • Protect against account takeover. Use technology to identify suspicious activity and potential signs of account takeovers, such as logins at unusual times of the day or from unusual locations and IP addresses. Track IP addresses that exhibit other suspicious behaviors, including failed logins and access from suspicious devices. Monitor email accounts for malicious inbox rules as well as they’re often used as part of account takeovers. Criminals who log into the account create forwarding rules and hide or delete any email they send from the account to try to cover their tracks.
  • Improve user security education. Educate users about email attacks, including form-based attacks, as part of security-awareness training. Ensure that staffers can recognize attacks, understand their fraudulent nature, and know how to report them. Use phishing simulation to train users to identify cyberattacks, test the effectiveness of your training, and evaluate those most vulnerable to attacks.