Hackers Abuse Dropbox In Phishing Attack To Steal Logins

Darktrace, a number one AI-powered threat detection company, identified a posh phishing strive targeting one in all its clients in January 2024. The attack exploited the loyal cloud carrier Dropbox.

Algorithm Of The Assault

The attackers dilapidated a accurate email deal with, “no-reply@dropbox[.]com,” which Dropbox incessantly makes exercise of for automatic notifications.

The email voice material used to be crafted to appear loyal. It likely contained a hyperlink to a PDF doc supposedly shared by a associate or colleague of the recipient.

Clicking the embedded hyperlink at some point soon of the PDF would possess led the user to a malicious web page, doubtlessly disguised as a accurate login page.

Assault Breakdown

On January 29, 2024, the user got a apparently loyal email from Dropbox reminding them to open a beforehand shared PDF, which used to be despatched on January 25, 2024.

• Darktrace/Email identified the email as suspicious and moved it to junk, combating the user from clicking a doubtlessly malicious hyperlink at some point soon of the PDF.

Darktrace/Email and Darktrace/Apps, successfully identified the suspicious email by examining

• Anomalous Habits: The email, despite originating from a accurate deal with, used to be despatched from an unknown entity and didn’t align with the patron’s customary email communication patterns.
• Hyperlink Diagnosis: Darktrace likely analyzed the embedded hyperlink at some point soon of the PDF, figuring out it as redirecting to a suspicious arena no longer beforehand encountered at some point soon of the patron’s network.

Despite Darktrace’s intervention, the user opened the suspicious email and accessed the PDF.

On January 31, 2024 Darktrace observed a series of suspicious logins to the compromised Microsoft 365 myth:

• Logins from irregular places by no scheme dilapidated earlier than.
• Logins originating from IP addresses connected to VPN companies (ExpressVPN, HideMyAss).
• Curiously, the attackers dilapidated accurate MFA tokens, suggesting they bypassed the patron’s MFA coverage (doubtlessly thru user error).

The attackers created a recent email rule at some point soon of the compromised myth to automatically pass emails from the organization’s accounts workforce to a much less-monitored folder.

The attackers despatched emails impersonating the loyal myth holder, utilizing urgency-inducing discipline lines love “Flawed contract” and “Requires Pressing Evaluation.”

These tactics aimed to trick recipients into extra actions, doubtlessly compromising extra accounts.

“Had RESPOND been enabled in independent response mode at the time of the attack, it would possess almost at this time moved to log out and disable the suspicious actor as almost at this time as they’d logged into the SaaS atmosphere from an irregular build, successfully shutting down this myth takeover strive at the earliest opportunity.” By Ryan Traill, the threat voice material lead.

Close updated on Cybersecurity recordsdata, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.