As both security tools and employees have become more astute at detecting traditional phishing attacks, threat actors have turned to manipulating trusted platforms to distribute phishing links hidden in seemingly legitimate URLs.
In one example of this approach, a report from Barracuda Networks published on 12 September detailed a rise in phishing attacks leveraging trusted content creation and collaboration platforms.
These platforms are particularly popular in the education sector, a growing target for threat actors, as well as being commonly used by businesses and creative professionals.
Threat analysts at Barracuda identified several phishing attacks using one online collaboration tool "widely used in educational settings" that allows students to create and share virtual boards where they can organize school content.
Hackers manipulated the platform's post-wall function to send emails with embedded phishing links. As the messages came from a trusted platform, recipients were less likely to scrutinize these emails as closely as they might when receiving from an unknown, external entity, the report noted.
The platform was also used to host voicemail phishing links, where users are taken to a separate link and then redirected to a spoofed Microsoft login page designed to harvest users' login credentials.
Threat actors were also found leveraging a popular graphic design platform, where the email sent from the service appeared to be identical to a legitimate file-sharing invitation from Microsoft 365.
Researchers at Barracuda offered a third example of a file sharing and tracking platform mainly used by business professionals, finding several fake 'file share' notifications within emails.
Saravanan Govindarajan, manager of threat analysis at Barracuda Networks, concluded that the rise in volume of these attacks reveals a growing trend away from traditional phishing tactics.
"The increase in phishing attacks leveraging trusted content creation and collaboration platforms highlights a shift in cybercriminal tactics towards the misuse of popular, reputable online communities to implement attacks, evade detection, and exploit the confidence that targets will have in such platforms."
Hackers are leveraging security tools against organizations
Research shows the obfuscation of phishing links has also involved leveraging security tools for nefarious purposes, where attackers have been found turning URL protection on itself to covertly distribute malicious links.
Earlier this year, Saravanan Mohankumar, threat analyst at Barracuda Networks, detailed how from mid-May onwards he and his team had observed threat actors using three different URL protection services to mask their phishing links. URL protection tools copy and rewrite hyperlinks used in emails embedding the original URL in the new, rewritten version.
"When the email recipient clicks on the "wrapped" link, it triggers an email security scan of the original URL. If the scan is clear, the user is redirected to the URL," Mohankumar explained.
The report suggests attackers could have been able to gain access to these tools after compromising the accounts of legitimate users, and if they have entry to the account, they can identify which URL protection service the victim has access to.
To activate the URL wrapping function, the attacker then uses an outbound email sent to themselves using the compromised account, and the victim's security tool will automatically rewrite the URL using their own URL protection link.
The threat actor can then use that link to conceal malicious URLs in their ongoing social engineering campaign, the report concludes.
Mohankumar warned these services, which are provided by trusted brands have been used to target hundreds of companies, speculating the real figure is likely far higher.
Speaking to ITPro, Neal Bradbury, chief product officer at Barracuda Networks, outlined why novel attack vectors like these are difficult to protect against for security vendors, and mitigation will rely on better security awareness training for staff.
"It's really difficult to detect a lot of these [attacks] as they continually evolve. What's happened [here] is that the links themselves are valid, and so what they [attackers] have figured out how to do is host something malicious on a OneDrive link or an Evernote link, for example," he explained
"What we really need to do is follow the link and if we can't do that as a security vendor, what we're basically doing is projecting it to the user and saying 'look, we have gone as far as we possibly can down this path or link. Caution, you may want to find out if it's actually from a user that you trust', and a lot of that comes down to training."
