Attackers sent 52M malicious messages leveraging the likes of Office 365, Azure, OneDrive, SharePoint, G-Suite and Firebase storage in Q1 2021.
Threat actors are cashing in on the rapid shift to cloud-based business services during the pandemic, by hiding behind ubiquitous, trusted services from Microsoft and Google to make their email phishing scams look legit. And it’s working.
In fact, in the first three months of 2021 alone, researchers found 7 million malicious emails sent from Microsoft 365 and a staggering 45 million sent from Google’s infrastructure, Proofpoint reported, adding that cybercriminals have used Office 365, Azure, OneDrive, SharePoint, G-Suite and Firebase storage to send phishing emails and host attacks.
“The malicious message volume from these trusted cloud services exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders,” the report, issued Wednesday, explained. “This authenticity perception is essential, as email recently regained its status as the top vector for ransomware; and, threat actors increasingly leverage the supply chain and partner ecosystem to compromise accounts, steal credentials and siphon funds.”
Because breaching a single account could potentially provide sprawling access, ProofPoint reported that 95 percent of organizations were targeted for cloud account compromise, and of those, more than half were successful. Additionally, more than 30 percent of those organizations that were compromised “experienced post-access activity including file manipulation, email forwarding and OAuth activity.”
Once attackers have credentials, they can easily move in and out of a range of services and use those to send additional, convincing phishing emails.
Proofpoint provided several examples of campaigns hiding behind Microsoft and Google that attempted to scam users into giving up their information or delivering malware.
One message used a Microsoft SharePoint URL, which purported to link to a document outlining COVID-19 guidelines. Proofpoint’s team reported that this message was sent to 5,000 users in the transportation, manufacturing and business services sectors.
Another example provided by Proofpoint attempted to use the domain name “onmicrosoft.com” to deliver a fake video-conferencing credential harvesting email, which researchers observed was delivered to about 10,000 users.
Read more at: threatpost.com