The Rising Threat of Credential Theft: How Dropbox Outpaces Microsoft SharePoint

Threat actors exploit Dropbox to steal Microsoft credentials in BEC campaign

Evasion of NLP and URL scanning

In a fast-growing business email compromise (BEC) campaign, threat actors are leveraging messages sent from Dropbox to steal Microsoft user credentials. This campaign, identified by researchers at Check Point Harmony, demonstrates the rapid evolution of BEC attacks and the ability of attackers to evade security measures such as natural language processing (NLP) and URL scanning.

According to Check Point, over 5,000 attacks using fake login pages to harvest credentials were observed in the first two weeks of September alone. Dropbox, along with other familiar and trusted sites such as Google, QuickBooks, and PayPal, has become a popular choice for attackers in this latest iteration of BEC – known as BEC 3.0. The use of legitimate and trusted sites makes it difficult for email security services to identify and stop these attacks.

The mechanics of the attack

The BEC campaign observed by researchers involves messages appearing to come directly from Dropbox, informing users of files to download. Clicking on the link in the message directs users to another page hosted on a legitimate Dropbox URL, but branded as Microsoft’s OneDrive. If users fail to recognize the discrepancy, they are led to a phishing site that mimics the login page of Microsoft SharePoint, where they are prompted to enter their credentials.

This case exemplifies the challenges posed by BEC 3.0 attacks, which leverage cloud services and create an illusion of legitimacy. The use of recognized services and sites makes it increasingly difficult for defenders, both security services and end users, to detect and prevent these attacks.

Securing against BEC compromise

Organizations can take several measures to help employees identify and prevent BEC 3.0 attacks. Educating users about common tactics and encouraging them to be cautious when receiving emails from unfamiliar sources or unsolicited links is crucial. The discrepancy between receiving an email from a Dropbox domain and being directed to a OneDrive account should raise suspicions and prompt users to delete such messages before accessing the phishing page.

Deploying a comprehensive security solution is also recommended. This should include document and file scanning capabilities, AI defenses, and a robust URL protection system that conducts thorough scans and emulates webpages for enhanced security. These measures can significantly reduce the risk of falling victim to BEC 3.0 campaigns.

The escalating threat of BEC attacks

The increasing frequency and intensity of BEC attacks highlight the need for businesses to remain vigilant. In 2022, the FBI recorded over 21,000 BEC complaints, resulting in adjusted losses exceeding $2.7 billion. Over the past decade, BEC attacks have cost businesses worldwide more than $50 billion, with losses growing by 17% year-over-year in 2022. The sophistication and effectiveness of these attacks continue to evolve, making them a significant threat to organizations of all sizes.

Considering the substantial financial impact and reputational damage caused by BEC attacks, businesses must prioritize cybersecurity measures. Continuous employee education, the implementation of comprehensive security solutions, and proactive threat detection are key elements in staying protected against evolving threats like BEC 3.0.

Keywords:

Technology, WordPress, Credential Theft, Dropbox, Microsoft SharePoint, Threat, Cybersecurity