The Growing Threat: Dropbox Campaign Exploits Microsoft SharePoint Credentials

Stealing Microsoft User Credentials through Dropbox: The Evolution of Business Email Compromise (BEC) Threats

The Rise of BEC 3.0 Attacks

Threat actors are continuously evolving their techniques to bypass security measures and exploit unsuspecting users. In a recent blog post, researchers at Check Point Harmony revealed a fast-growing business email compromise (BEC) campaign that leverages Dropbox messages to steal Microsoft user credentials. This campaign is part of the latest iteration of BEC attacks known as BEC 3.0.

Unlike traditional BEC attacks that rely on spoofing or impersonating legitimate entities, BEC 3.0 poses a new challenge for defenders. Attackers exploit familiar and trusted sites like Dropbox, Google, QuickBooks, and PayPal to send and host phishing material. This clever tactic makes it difficult for email security services to detect and for end-users to recognize malicious content.

The Mechanics of the Attack

In the observed campaign, attackers send messages directly from Dropbox to the victims, notifying them of files to download. Clicking on the link in the message redirects users to a legitimate Dropbox URL, but the subsequent page is branded as Microsoft’s OneDrive. The discrepancy, if noticed, can raise suspicion. However, if users fail to spot it, they are taken to a phishing site disguised as a Microsoft SharePoint login page, where they are prompted to enter their credentials. This final page is hosted outside of Dropbox.

This type of attack exploits cloud services and demonstrates the ingenuity of threat actors in utilizing legitimate platforms to enhance their phishing credibility. By impersonating trusted services, attackers bypass both natural language processing (NLP) security scans and URL scanning employed by email security technologies. NLP fails to detect any abnormal language patterns since the attack relies on original content directly from the legitimate service. Likewise, flagging suspicious URLs doesn’t work since the links lead to verified Dropbox or similar sites.

The Implications and Impact

BEC attacks have been on the rise, both in terms of numbers and sophistication. In 2022, the FBI reported over 21,000 BEC complaints, resulting in adjusted losses exceeding $2.7 billion. Over the last decade, these attacks have cost businesses worldwide more than $50 billion, signifying a 17% year-over-year growth. The prevalence and magnitude of these attacks speak to the increasing frequency and intensity, as outlined by the Check Point team.

The success of BEC 3.0 attacks highlights the need for organizations and individuals to be vigilant and proactive in protecting their data and credentials.

Protecting Against BEC 3.0

To mitigate the risks posed by BEC 3.0 attacks, organizations must prioritize awareness and deploy robust security measures.

Firstly, educating employees about common BEC tactics is crucial. Encouraging users to pause and verify suspicious activity before clicking on emails from unfamiliar sources or unsolicited links can go a long way in preventing these attacks. In the case of the observed Dropbox campaign, the discrepancy between receiving an email from a Dropbox domain and being directed to a OneDrive account should serve as a red flag.

Secondly, organizations should invest in comprehensive security solutions. These solutions should include document and file scanning capabilities, AI defenses, and robust URL protection systems that can thoroughly scan and emulate webpages to detect any malicious intent. Integrating such measures can significantly enhance security measures against BEC 3.0 campaigns.

In Conclusion

As threat actors continue to evolve their techniques, it is essential for individuals and organizations to stay vigilant and adapt their cyber defense strategies accordingly. BEC 3.0 attacks demonstrate how attackers are leveraging legitimate platforms to deceive users and evade security measures. By combining user awareness and robust security solutions, businesses can better protect themselves from falling victim to these increasingly prevalent and costly attacks.