Cofense Email Security

Beware of File-Share Phish

By Kyle Duncan, Cofense Phishing Defense Center

There will always be a document to sign or a file to share. With the pandemic still raging and employees resorting to a work-from-home lifestyle, file shares provide a reasonably safe and effective way to get a document from one person to another. Threat actors have taken notice, as seen by the Cofense Phishing Defense Center with the discovery of fraudulent file-share emails to deceive users. In this campaign, the threat actor has taken steps to appear as a trusted contact.

Figure 1: Email Body

The email seen in Figure 1 originated from a compromised account. Judging from the domain of the email, the user, “Harvey,” is in the same career field as the recipient. Presumably the threat actor sent this phish email to contacts in the compromised user’s account. Sending malicious emails to contacts through a compromised account allows the threat actor to abuse contacts’ trust while bypassing SPF and/or DKIM checks. These counter address spoofing but not a compromised account, as is the case here.

The email body is typical of any other file-share email. Under the file-share box is the contact detail information for the compromised user, including their name, role, phone number and a confidentiality notice to lend legitimacy to the email.

Hovering over the “View Shared Documents” button in the email shows that the intended destination is to a Piktochart presentation. However, this is not an original tactic. In fact, the use of third-party hosting sites such as Piktochart to host malicious pages has become increasingly common as the services are generally free and are rarely blocked by SEGs.

Figure 2: Phishing Page

When the link is clicked, users are redirected to the Piktochart presentation seen in Figure 2. On this page is another declaration of the compromised user’s company sharing a secured document followed by a reiteration of the name, title, and contact information of the sender seen in the email previously. Notably there is a discrepancy between the name of the person who published this Piktochart document and the name of the sender – a loose end the threat actor seems to have overlooked.

Hovering over the PDF icon reveals the destination address:

hXXps://buiewrsd[.]tk/%23%24%25%5E%26

Figure 3: Phishing Page

The user is then directed to a fake Atlassian login page, seen in Figure 3. This page shares many similarities to a legitimate Atlassian login; however it lacks many of the customer service links one could find on the legitimate page. Once here, users are prompted to select an email provider to sign in with to view their files.

Figure 4: Phishing Page

After choosing which account to login with, the user is taken to a page corresponding to that brand as shown in Figure 4. Once a user has input their credentials, they are then sent to the Microsoft Office homepage. This is likely an attempt by the threat actor to make the user think there was simply an error and overlook the fact that they’ve entered details into a phishing site.

As always, threat actors will stop at nothing to gain a user’s trust and, in turn, use that trust to lead them to malicious links and/or files. In this case, the threat actor compromised a user in the same field as the recipient and utilized the trust between the two contacts as a means of delivering their attack successfully.

With Cofense Managed Phishing and Defense, provided through our Phishing Defense Center (PDC), enterprises benefit from our complete view of real phish. Contacts won’t be judged based on whether it is a “trusted” or “known” contact but rather the content of the email and whether there was malicious intent. This is why, in five years, no customer using the Cofense PDC has experienced a breach resulting from a phishing attack.

We’re here to help. To learn more about our phishing-detection-and-response track record, reach out any time.

Indicators of Compromise IP
hXXps://buiewrsd[.]tk/%23%24%25%5E%26 209.141.60.237
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
Share This Article
Facebook
Twitter
LinkedIn

Search

We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.