GreatHorn’s threat research team identified what appears to be a new approach to tricking unsuspecting end users into interacting with malicious URLs leading to various credential theft sites. Identified in a number of client environments, the new attack combines two different phishing techniques to reach unsuspecting users.
To date attackers have routinely relied upon trusted file sharing websites such as Google Docs, Microsoft OneDrive / SharePoint, and Dropbox as a way to convince users to interact with malicious content. Users have an inherent trust of those services which lowers their guards, and URLs for those services more easily bypass common detection methods used by many email security tools to identify malicious URLs because they are hosted on seemingly reputable websites. Last Fall, Microsoft Sway had reportedly begun to be used in the same way to host malicious URLs to credential theft websites, however the attacks were not particularly widespread. In this latest attack pattern, attackers have blended the Sway technique with the very common “voicemail” technique that has proven to bypass many email security defenses.
One of the most common attack types seen today is a fake voicemail notification with either a malicious attachment or malicious URL that ultimately aims to steal users’ credentials. Voicemail notifications prey on human curiosity—who called me and why?—and many individuals’ livelihoods are reliant upon being responsive to customers reaching out. But many of these attacks end up falling apart due to the haphazard appearance of the email notifications themselves—they simply do not look enough like a voicemail notification to entice enough users to click. This is where Microsoft Sway comes into play.
Microsoft Sway is a means to easily host multimedia content online, thus the formatting issues which can arise when attempting to put together a phishing email that is to be sent en masse are eliminated. Instead, the attacker has far more control over the content he or she is crafting and can more easily compel users to click.
Notably, the URL included in the email itself leads to a sway.office.com which makes it difficult for most email security tools to spot – in this latest round, GreatHorn researchers identified at least four separate sway.office.com URLs. Again, many services inherently trust URLs associated with Microsoft’s myriad services. Instead, it is the link associated with the DOWNLOAD text on the Sway page itself which is malicious and leads to a credential theft page.
The GreatHorn platform was able to identify this most recent round of attacks via a detection method which combines header and message analysis with deep reputation- and relationship-based analytics. The messages specifically stood out because the senders and sending domains were unassociated with voicemail-related services neither inside nor outside of the respective environments they were observed in. In other words, the emails were not originating from the voicemail services utilized by the recipient organizations, and were in fact not originating from any legitimate voicemail service at all. This method of detection rendered the presence of the Microsoft Sway URLs moot points.
In GreatHorn’s research, most of the malicious destinations have been identified and marked as malicious by a number of threat feeds. That said, it is not hard to imagine a scenario where attackers utilize a similar tactic with newly compromised or newly published credential theft sites. Perhaps even more frighteningly, it is not difficult to imagine a scenario where attackers craft even more compelling content via Sway—surveys, job offers, or any number of seemingly benign pieces of content—as a means to either steal information or install malware.