ProofPoint
Office365 Safe Links
Symantec
By Jake Longden
The Cofense Phishing Defense Center has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. Here’s how they work.
Email Body:
The email body is a genuine notification from WeTransfer which informs the victim that a file has been shared with them. The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.
WeTransfer allows for the addition of a note to the email to clarify why the file was sent. Here, the threat actor will often write a note stating that the file is an invoice to be reviewed. This is a commonly observed phishing technique to pique the user’s interest.
Fig 1. Email body
Phishing Page:
When the user clicks on the “Get your files” button in the message body, the user is redirected to the WeTransfer download page where a HTM or HTML file is hosted and thus downloaded by the unsuspecting victim. When the user opens the .html file, he or she is redirected to the main phishing page.
Fig 2. WeTransfer Hosted file
In the final stage of the attack, victims are asked to enter their Office365 credentials to login. More often than not, we see a Microsoft Service being targeted, however we have observed other targeted brands.
Fig 3. Phishing Page
Gateway Evasion
As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites. The PDC has observed this attack method to bypass multiple gateways. These include ProofPoint, Office365 Safe Links, and Symantec.
Useful Resources for Customers
| Description | |
| Triage Yara rule: | PM_WeTransfer_File_Download |
| PhishMe Templates: | “File Transfer” |
| Cofense Intelligence: | https://www.threathq.com/p42/search/default#m=26412&type=renderThreat |
Other Ways Cofense Can Help
The Cofense Phishing Defense Center identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.
75% of threats reported to the Cofense Phishing Defense Center are credential phish. Protect the keys to your kingdom—condition end users to be resilient to credential harvesting attacks with Cofense PhishMeTM. Our solution offers a phishing simulation to protect against file-transfer attacks like the one described in this blog.
According to the Cofense Phishing Defense Center, over 91% of the credential harvesting attacks they identify bypassed email gateways. Remove the blind spot—get visibility of attacks with Cofense ReporterTM.
Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.
Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker™.
Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understand, read the 2019 Phishing Threat & Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.
