Phishing Campaign Uses Google Drive to Bypass Email Gateways
A highly targeted phishing campaign was recently observed while bypassing a Microsoft email gateway using documents shared via the Google Drive service to target the staff of a company from the energy industry.
Google Drive is a file storage and synchronization service created by Google that enables its users to store files in the cloud and effortlessly synchronize them between devices and platforms. The documents used to link to the phishing landing page were delivered using Google Docs, Google’s online word processor.
The phishing messages spotted by Cofense security researchers impersonated the CEO of the company and tried tricking the employees to open an “important message” shared via Google Docs, Google’s online word processor.
“The email is legitimately sent by Google Drive to employees and appears to be shared on behalf of the CEO by an email address that does not fit the email naming convention of the targeted company,” found Cofense.
Outdated info allows targets to detect the attack
This made it possible for the attackers to take advantage of Google’s legitimate service to circumvent the phishing detection protection provided to the company by the Microsoft Exchange Online Protection cloud-based email filtering service.
In reality, the document linked to a Google Docs document which, in turn, redirected the potential victims to the attackers’ phishing landing pages that would request them to enter their credentials to access the CEO’s urgent message.
“The link within the email body is also hard to defend against because it links to an actual Google Drive share,” also found the Cofense researchers.
“If the organization’s email body inspection tool does not examine past the first link, phishing countermeasures will mark the email as non-malicious, allowing the phish to avoid another security measure.”
Luckily, even though the phishers managed to bypass the company’s phishing protections, they also used outdated information to create their phishing emails which should have given enough hints to the targeted staff that they were under attack.
Also, while the emails appear to come from the company’s CEO, the email address used to deliver them “does not fit the email naming convention of the targeted company,” the researchers discovered.
Phishing emails created using templates
Some of the contents of the phishing emails also hinted at them being created with the help of templates designed to quickly generate customized phishing messages, with at least two of the phrases used in these attacks having been previously spotted as part of “a similar phishing campaign targeting secondary education facilities.”
After opening the Google Docs document linked within the phishing email, the targets would be redirected to a fake login page which requests them to enter their credentials that will be immediately delivered and stored on an attacker-controlled server.
“One automated security mechanism that might be able to defend against this part of the attack scenario is a network content filtering appliance keyed on blocking newly registered domains,” adds Cofense.
“This security mechanism would have stopped the end user from getting to the fake login page because of the registration date of the website.”
Indicators of compromise (IOCs) and a Yara Rule designed to help identify similar campaigns are available at the end of the Cofense report.
Phishers switching their baits
While monitoring phishing attacks targeting its customers, Cofense spotted other phishing campaigns using a wide range of techniques to steal sensitive info from their targets.
During late July, crooks switched from the run-of-the-mill malicious URLs they usually employ to WeTransfer notifications to bypass email gateways developed by Microsoft, Proofpoint, and Symantec.
They were also observed while using a base HTML element to conceal the link to their phishing landing pages from antispam solutions, another tactic that made it possible to Office 365 Advanced Threat Protection’s security checks and have their phishing messages land into the inboxes of American Express customers.
Another campaign delivering fake eFax messages was observed during early July while dropping a banking Trojan and RAT cocktail with the help of malicious Microsoft Word document attachments.
Cofense also unearthed a phishing campaign that abused QR codes one month earlier, allowing its operators to redirect potential targets to phishing landing pages while effectively dodging security solutions and controls designed precisely to stop this type of attacks in their tracks.