Anti-Phishing, DMARC , Fraud Management & Cybercrime , Social Engineering

Dropbox Used in Latest Exploit for Phishing Attacks

Darktrace Warns of Malware Hidden in PDF Stored in Dropbox
Dropbox Used in Latest Exploit for Phishing Attacks
Image: Shutterstock

Phishing attacks continue to adapt to exploit popular apps. While many phishing campaigns have focused on mobile banking and payment sites, attackers are also targeting widely used but lower-profile, cloud-based utilities such as the ubiquitous Dropbox storage platform.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Darktrace researchers recently observed the malicious exploitation of Dropbox in a targeted phishing attack against one of its customers.

In January, Darktrace intercepted a sophisticated attack that involved employees of a Darktrace customer received seemingly innocuous emails from a legitimate Dropbox address. Attackers had embedded a malicious link in the email, posing a threat to the customer's Software-as-a-Service environment.

In the latest campaign, the attackers exploited the trust associated with Dropbox's legitimate infrastructure to deceive targets into unknowingly downloading malware or revealing sensitive information such as login credentials.

In January 2024, Darktrace/Email identified a suspicious email from 'no-reply@dropbox[.]com,' a seemingly legitimate Dropbox address. Darktrace took immediate action to prevent the email from reaching the intended recipients.

The initial infection phase of the phishing attack unfolded on January 25, when researchers at Darktrace observed an internal user in the customer's SaaS environment receiving an inbound email from the legitimate 'no-reply@dropbox[.]com' address. What made this seemingly benign email suspicious was a link embedded in it, leading to a PDF file posted to Dropbox.

Despite the legitimacy of both the email and the Dropbox endpoint, Darktrace identified a red flag: the PDF file contained a link to a domain, 'mmv-security[.]top,' previously unseen in the customer's environment. The automated nature of emails sent from fixed addresses, such as 'no-reply@dropbox[.]com,' is a tactic often employed by threat actors to convince SaaS users to follow malicious links.

Researchers further found that 'mmv-security[.]top' was a newly created endpoint reported for links to phishing by multiple security vendors. On Jan. 29, the user received another legitimate email from 'no-reply@dropbox[.]com,' reminding the user to open the previously shared PDF file.

Despite being moved to the user's junk file and having a lock link action applied by Darktrace/Email, the employee opened the email and followed the link to the PDF file, leading to a connection with the malicious endpoint.

This allowed threat actors to compromise the internal device associated with the user, connecting to the 'mmv-security[.]top' endpoint. Darktrace's subsequent observations revealed a cascade of suspicious activities, including multiple unusual SaaS logins, using VPN services to mask locations, and creating email rules to conceal malicious activities within the compromised Outlook account.

While Darktrace's rapid identification and response contained the compromise, the incident highlights the need for organizations to deploy comprehensive cybersecurity measures, including advanced threat detection and autonomous response mechanisms, to counter the evolving tactics of malicious actors exploiting trusted services for their nefarious purposes.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.