SharePoint, OneDrive and Dropbox targeted by BEC attacks
Microsoft Threat Intelligence reported that it has observed threat actors abusing legitimate file hosting services such as SharePoint, OneDrive and Dropbox with the aim of launching business email compromise (BEC) attacks.
In an Oct. 8 blog post, the Microsoft researchers said the threat actors send files with restricted access and “view-only” restrictions — files that typically can more easily circumvent standard security controls.
The researchers said they have noticed threat actors increasing these attacks since mid-April — tactics that let them steal credentials then plant malicious files into the victim’s file sharing app. The victims are then asked to re-authenticate, which takes them to the malicious site and the various BEC attacks that result in financial fraud, data exfiltration, and lateral movement.
“While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants,” wrote the researchers.
