Microsoft’s latest threat intelligence report highlights an ongoing trend where threat actors exploit legitimate file-hosting services, such as OneDrive, SharePoint, and Dropbox, to deliver identity-focused phishing attacks. These services’ familiarity makes them attractive for delivering malicious links and files, leveraging their trust to bypass traditional security detections.
Attack Chain and Techniques
These phishing campaigns typically involve:
- Restricted-access files: Recipients must log in to view files, making the files appear legitimate.
- View-only settings: Disabling downloads to evade email detonation systems and avoid URL detection.
- Adversary-in-the-Middle (AiTM) pages**: Phishing pages designed to steal credentials and session cookies after users authenticate.
The tactics observed indicate an increase in defence evasion techniques. Attackers are configuring file sharing to restrict access, requiring authentication and embedding limited-time view links to make files difficult to analyse.
Mitigation Recommendations
Microsoft advises organisations to:
- Enable Conditional Access policies for enhanced identity security.
- Use multi-factor authentication (MFA) and encourage passwordless sign-in options.
- Employ network protection to block access to known malicious domains and IP addresses.
- Monitor suspicious file-sharing activity and identity verification prompts using detection tools in Microsoft Defender and Sentinel.
By enforcing these practices, organisations can reduce their risk of falling victim to identity compromise and subsequent business email compromise (BEC) attacks.
Appendix: File Hosting Services Observed
The phishing campaigns misuse the following services:
- Microsoft OneDrive
- Microsoft SharePoint
- Dropbox
For more details, see Microsoft’s full report.
Further Reading
- Microsoft – Understanding Phishing Techniques
- Defending Against Identity Theft
- Guide to Conditional Access Policies
- File Hosting Service Abuses and Defence Strategies