The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible.

Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware.

SaaS to SaaS Phishing

Instead of building phishing pages from scratch, cyber criminals are increasingly turning to established SaaS platforms to execute their malware schemes. By utilizing legitimate domains to host their phishing campaigns, it’s more challenging for detection engines to identify them. And since SaaS platforms require minimal technical expertise, it’s easier for novice hackers to launch attacks.

The number of phishing URLs hosted on legitimate SaaS platforms has increased at an alarming rate. From June 2021 through June 2022, the rate of newly detected phishing URLs hosted on legitimate SaaS platforms has increased by over 1100%, according to Palo Alto’s Unit 42.

Cyber criminals take advantage of cloud-based SaaS platforms to launch phishing attacks without ever needing to access the victims’ on-premises computers or networks, as HackerNoon cyber expert Zen Chan points out. Chan says that SaaS-based phishing makes it difficult for traditional security measures, such as anti-spam gateways, sandboxing and URL filtering, to detect and flag these malicious activities. With the increasing use of cloud-based office productivity and collaboration tools, attackers can now easily host and share malicious documents, files and malware on reputable domains.

The magnitude of the problem becomes clear when we consider that malicious downloads might originate from platforms such as Google Drive or DropBox. In these places, malware is easy to disguise as a picture, invoice image, PDF or important work file. The problem is that in cloud storage, the files are encrypted, which enables security tool evasion. And the malicious files are only decrypted on the victim’s machine, as explained by CheckPoint researchers.

Examples of SaaS platforms used in phishing campaigns include:

  • File sharing
  • Form builders
  • Website builders
  • Note-taking/collaboration tools
  • Design/prototyping/wireframe
  • Personal branding.

Phishing Leveraging Azure

In a recent report, Microsoft’s threat analysts detected another type of sophisticated phishing scheme. This campaign employed compromised login information to enroll rogue devices on a targeted network. The infiltrated devices were then utilized to propagate phishing emails. It appears the attacks were successful primarily on accounts that lacked MFA security, making them more vulnerable to takeover.

The attackers employed a DocuSign-themed email tactic, which lured recipients to click on a link to review and sign a document, thereby exposing their login information.

Source: Microsoft

Actors utilized embedded links in the fake DocuSign emails that directed victims to a phishing website. These mimicked the Office 365 login page, complete with pre-filled usernames for added credibility.

Microsoft’s telemetry data revealed that the initial attacks focused on firms in Australia, Singapore, Indonesia and Thailand. It appears that the actors were primarily targeting remote workers, as well as poorly protected managed service points and other infrastructure that may operate outside strict security protocols.

The Next Stage of the Attack

Microsoft’s security team was able to detect the threat by identifying unusual patterns in the creation of inbox rules. Attackers added these rules immediately after gaining control of an inbox. Apparently, the attackers had compromised over a hundred mailboxes across multiple organizations, using malicious mailbox rules named “Spam Filter”. This enabled actors to maintain control over the compromised mailboxes and use them for phishing and other malicious activities.

Using the stolen credentials, the intruders were able to gain access to the victim’s email account by installing Outlook on their own machine and logging in using the compromised credentials. From there, the attacker’s device automatically connected to the company’s Azure Active Directory due to the acceptance of Outlook’s first launch experience. Microsoft points out that an MFA policy in Azure AD would have prevented this rogue registration from occurring.

Once the attacker’s device accessed the victim’s network, the intruders began the second phase of their campaign. They sent phishing emails to employees of the targeted firm, as well as external targets such as contractors, suppliers or partners. As these phishing messages originate from within a trusted workspace, they carry an element of legitimacy, and security solutions are less likely to flag them.

Phishing Leveraging Amazon Web Services

Cyber criminals are also using Amazon Web Services (AWS) to bypass automated security scanners and launch phishing attacks, as per Avanan. Actors have leveraged the ability to use an AWS service to create and host web pages using WordPress or custom code. From there, they can send phishing messages that carry the AWS name to corporate email systems. This enables the emails to evade scanners that would typically block such messages and adds an extra layer of legitimacy to deceive victims.

Another recently highlighted phishing campaign leverages AWS and employs unusual syntax construction in the messages to evade scanners. Email services that rely on static Allow or Block Lists to secure email content are not immune to these attacks. These services evaluate whether a website is safe or not. But Amazon Web Services is too large and prevalent to block, so scanners will always mark it as safe.

It’s not uncommon for attackers to piggyback on well-known brand names for phishing campaigns. Avanan has reported that attackers have used QuickBooks, PayPal and Google Docs to increase the chances of their messages landing in the inbox.

Phishing With QR Codes

Last but not least, Zen Chan also shed light on another type of phishing attack called QRishing. These attacks embed malware links in QR codes included in emails. This makes them difficult to detect for most email security solutions. QRishing can also potentially lead victims to connect to an unsecured WiFi network, allowing attackers to capture sensitive information.

Today, people use QR codes to access menus, check-in for health services and access public or organizational information. But rogue QR codes are also on the rise. Criminals can even print malicious QR codes on a sticker to overlay legitimate QR codes.

To make things even more complex, attackers are using social engineering tactics by inserting fake QR codes into phishing text messages (SMishing plus QRishing) or social media platforms. When scanned, these infected codes redirect victims to phishing sites, where they may be prompted to enter login credentials which can then be stolen by the attackers.

No End to Phishing in Sight

The phishing attack frenzy does not appear to be letting up soon. Hypervigilance is essential. It’s worth it for organizations to train and re-train their teams to spot phishing attempts. Additionally, advanced security solutions, such as zero trust, will become more prevalent as verification of users, devices, context and permissions will all be needed to keep invaders at bay.

More from Cloud Security

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read

Rationalizing Your Hybrid Cloud Security Tools

3 min read - As cyber incidents rise and threat landscapes widen, more security tools have emerged to protect the hybrid cloud ecosystem. As a result, security leaders must rapidly assess their hybrid security tools to move toward a centralized toolset and optimize cost without compromising their security posture. Unfortunately, those same leaders face a variety of challenges. One of these challenges is that many security solutions create confusion and provide a false sense of security. Another is that multiple tools provide duplication coverage…

3 min read

The Importance of Modern-Day Data Security Platforms

4 min read - Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 4: New Space Future Development and Challenges

4 min read - View Part 1, Introduction to New Space, Part 2, Cybersecurity Threats in New Space, and Part 3, Securing the New Space, in this series. After the previous three parts of this series, we ascertain that the technological evolution of New Space ventures expanded the threats that targeted the space system components. These threats could be countered by various cybersecurity measures. However, the New Space has brought about a significant shift in the industry. This wave of innovation is reshaping the future…

4 min read