Fast-Growing Dropbox Campaign Steals Microsoft SharePoint Credentials

Threat actors are using messages sent from Dropbox to steal Microsoft user credentials in a fast-growing business email compromise (BEC) campaign. The effort evades natural language processing (NLP)-based security scans, and demonstrates the rapid evolution of these types of attacks.

Researchers at Check Point Harmony observed more than 5,000 of the attacks — in which fake login pages lead victims to a credential-harvesting site — in the first two weeks of September alone, they revealed in a recent blog post. They informed Dropbox of the campaign's existence on Sept. 18.

The attack is yet another example of the latest iteration of BEC — BEC 3.0 — in which attackers use legitimate sites that are familiar and trusted by end users to send and host phishing material, the Check Point Team wrote in the post. Other popular sites used in BEC 3.0 attacks include Google, QuickBooks, and PayPal.

"The legitimacy of these sites makes it nearly impossible for email security services to stop and for end users to spot," according to the post. "It's one of the cleverer innovations we've seen, and given the scale of this attack thus far, it's one of the most popular and effective."

Indeed, the attacks are dangerous for users because they evade both NLP technology and the URL scanning that email security technology uses to flag messages as suspicious.

"NLP is useless here — the language comes directly from legitimate services and nothing is awry," according to the post. In a similar way, trying to flag a suspicious URL doesn't work either, since the links used in the messages direct to a legitimate Dropbox site.

Direct from Dropbox

Messages in the campaign observed by researchers appear to come directly from Dropbox, letting users know they have a file or files to download. Clicking on a link included in the message leads potential victims to another page, where they are instructed to click on a link to start the download.

This second step in the campaign is notable in that the page to which users are directed is hosted on a legitimate Dropbox URL. However, the page is branded as OneDrive, a Microsoft cloud storage and download service.

If users don't pick up on the discrepancy, the link on this secondary page — which pretends to take users to their file or files — leads to a phishing site that looks like a login for Microsoft SharePoint, asking people to enter their credentials. This final page in the campaign is hosted outside of Dropbox.

The case is a perfect example of so-called BEC 3.0, the researchers noted, which makes use of cloud services. While BEC attacks have long spoofed or impersonated legitimate entities, BEC 3.0 represents a whole new challenge for defenders because it creates attacks that appear to come from legitimate services, making them particularly difficult to stop and identify, both from security services and end users, the Check Point Team said.

Avoiding BEC Compromise

There are some steps organizations can take both to help their employees identify BEC 3.0 attacks and also stop them before they even get to the end user, the researchers said. For the former, organizations should educate users on common tactics and encourage them to pause and take notice of suspicious activity before clicking on emails from unfamiliar sources or unsolicited links, according to the post.

For example, the discrepancy between receiving an email from a Dropbox domain and receiving a page linking to a OneDrive account should be a giveaway that the Dropbox campaign is malicious, the Check Point researchers noted. A savvy user could then identify this and delete the message before even getting to the phishing page.

Deploying a comprehensive security solution that includes document- and file-scanning capabilities, AI defenses, as well as a robust URL-protection system that conducts thorough scans and emulates webpages for enhanced security can also help thwart BEC 3.0 campaigns, according to Check Point.

Businesses should take note given that BEC attacks are on the rise, not just in numbers but in sophistication. In 2022, the FBI reported that it logged more than 21,000 BEC complaints, amounting to adjusted losses of more than $2.7 billion, and that the attack vector has cost businesses worldwide more than $50 billion in the last 10 years. That figure reflected a growth in business losses to BEC of 17% year-over-year in 2022.

"That's why these attacks are increasing in frequency and intensity," the Check Point team wrote in the post.