Dropbox Used to Steal Credentials and Bypass MFA in Novel Phishing Campaign

Written by

A novel phishing campaign leveraged legitimate Dropbox infrastructure and successfully bypassed multifactor authentication (MFA) protocols, new research from Darktrace has revealed.

The attack highlights the growing exploitation of legitimate popular services to trick targets into downloading malware and revealing log in credentials.

The findings also show how attackers are becoming adept at evading standard security protocols, including email detection tools and MFA.

Speaking to Infosecurity, Hanah Darley, Head of Threat Research at Darktrace, noted that while it is common for attackers to exploit the trust users have in specific services by mimicking the normal emails they receive, in this case, the threat actor(s) went a step further and leveraged the legitimate Dropbox cloud storage platform to conduct their phishing attacks.

The Attackers Leveraged Dropbox Infrastructure

The attackers targeted a Darktrace customer on January 25, 2024, with 16 internal users on the organization’s SaaS environment receiving an email from ‘no-reply@dropbox[.]com.’ This is a legitimate email address used by the Dropbox file storage service.

The email contained a link that would lead the user to a PDF file hosted on Dropbox, which was seemingly named after a partner of the organization.

This PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, named ‘mmv-security[.]top.’

The researchers noted that there is “very little to distinguish” malicious or benign emails from automated emails used by legitimate services such as Dropbox. Therefore, this approach is effective in evading email security tools and convincing targets to click a malicious link.

This email was detected and held by Darktace’s email security tool. However, on January 29 a user received another email from the legitimate no-reply@dropbox[.]com address, reminding them to open the previously shared PDF file.

Although the message was moved to the user’s junk file, the employee went on to open the suspicious email and follow the link to the PDF file. The internal device connected to the malicious link mmv-security[.]top a few days later.

This link led to a fake Microsoft 365 login page, designed to harvest the credentials of legitimate SaaS account holders.

The researchers added that the approach of impersonating trusted organizations like Microsoft is an effective way of appearing legitimate to targets.

The fake Microsoft login page the user was directed to after clicking on the link the PDF file. Source: Darktrace
The fake Microsoft login page the user was directed to after clicking on the link the PDF file. Source: Darktrace

Attackers Successfully Bypassed MFA

On January 31, Darktrace observed several suspicious SaaS logins from multiple unusual locations that had never previously accessed the account.

Subsequent unusual logins on February 1 were associated with ExpressVPN, indicating that the threat actors used a virtual private network (VPN) to mask their real location.

These logins appeared to use a valid MFA token, suggesting the attackers had successfully bypassed the organization’s MFA policy.

The researchers believe the employee may have unknowingly approved an MFA authentication request of authenticate on their own device once they’d compromised the credentials.

“By using valid tokens and meeting the necessary MFA requirements, threat actors are often able to remain undetected by traditional security tools that view MFA as the silver bullet,” the researchers wrote.

Despite the attackers bypassing MFA with legitimate credentials, the organization’s security team were still alerted to the suspicious activity after identifying unexpected activity on the SaaS accounts.

Darley told Infosecurity that the incident demonstrates that organizations can no longer rely on MFA as the last line of defense against cyber-attackers.

 “MFA bypass, as in this case, is now a frequent tactic used by attackers – especially given its success in granting access to shared resources such as SharePoint files which can be exploited,” she outlined.

Threat Actor Shows Persistence

Shortly after the MFA bypass, Darktrace observed another unusual login to the SaaS account, using the HideMyAss VPN service.

On this occasion, the threat actor created a new email rule on the compromised Outlook account, which was intended to immediately move any emails from the organization’s accounts team directly to the ‘Conversation History’ mailbox folder.

The researchers said this approach is designed to avoid detection – by moving their malicious emails and any responses to them to less commonly visited mailbox folders.

Additionally, the actor sent follow-up emails with subject lines such as “Incorrect contract” and “Requires Urgent Review.”

“This likely represented threat actors using the compromised account to send further malicious emails to the organization’s accounts team in order to infect additional accounts across the customer’s SaaS environment,” noted the researchers.

Phishing Attacks Are Targeted and Sophisticated

The researchers noted that it is “relatively simple” for attackers to abuse legitimate third-party solutions like Dropbox for phishing attacks, rather than relying on their own infrastructure.

Darley commented: “The case study highlights just how sophisticated cybercriminals are becoming in performing staged attacks. The emails themselves came from a legitimate ‘no-reply’ address from Dropbox that would generally send notices or links to clients.”

“The link contained in the email was also to a legitimate Dropbox storage endpoint, where a malicious file was being hosted. It was disguised as a partner document, making the emails appear legitimate,” she added.

Generative AI Assists Attackers

Darley noted that generative AI technologies are having a huge impact in enabling attackers to craft more sophisticated phishing messages.

Darktrace’s 2023 End of Year Threat Report found that over 25% of phishing cases observed the second half of 2023 contained more than 1000 characters, which is largely due to the capabilities provided by generative AI.

“These are not ‘payload alone’ emails with a couple of words and a dodgy link, but instead are highly crafted and wordy. There are also cases of enhanced social engineering wherein attackers will drop into existing conversation threads, impersonating colleagues or known contacts, attempting to mimic the tone of correspondence,” explained Darley.

“These instances of higher sophistication are being enabled by generative AI, which is giving bad actors more time to spend strategizing on wider scale attacks,” she added.

Image credit: Nopparat Khokthong / Shutterstock.com

What’s hot on Infosecurity Magazine?