Cyberattackers are delivering malware by using links from whitelisted sites

Bad actors have added a new snare to their bag of social engineering tricks— malicious OneDrive, Google Drive, iCloud, and Dropbox links. A new whitepaper from Menlo Security “Is SaaS the New Trojan Horse in the Age of the Cloud?” describes this latest attack vector.

Links to these legitimate sites can often slip by standard security measures that stop malware and block access to suspicious sites. Many of these services are whitelisted by security products because they are approved services, meaning that an enterprise has few or no defenses against these advanced attacks. These services are the latest tactic designed to dupe users into divulging their credentials or unknowingly download and install malware.

SEE: How to get users on board with essential security measures (free PDF)

How the attack works

First an attacker hosts a malicious document in a cloud storage account as a raw or Zip file. The next step is to share the document, which could look like an invoice, statement of work, or contract, with targeted users. The email is designed to match the individual’s job responsibilities and looks legitimate.

Once the document is opened, users are encouraged to click on a link that takes them to a fake web form where they are prompted to provide their credentials. These stolen credentials create another threat vector to steal information or access other business systems. 

Credential stuffing is one of the most common ways that hackers steal data. Bad actors use credentials (usernames and passwords) stolen from one website to try to get into other websites’ login pages to gain unauthorized access to accounts. This works well because of the human habit of using the same password on many accounts.

These malicious links also can deliver malware to the user’s machine to allow the attackers to control the device to spread malware to other systems.
According to the Menlo research, Microsoft OneDrive alone accounted for 90% of all attacks that used online personal storage. These links often bypass traditional security layers, such as the proxy, and connect directly to Microsoft. This direct connection means users have faster email access and attachment downloads, but it also creates an unguarded entry into the corporate network.
To avoid this security problem, Microsoft recommends user training that helps people identify bad links, such as hovering over a link to see the actual URL and watching for typographical errors and misspellings.

Guaranteeing 100% security

At RSA 2020, Menlo announced $1 million to any of the company’s customers that experiences an infection from malware. Kowsik Guruswamy, Menlo’s chief security officer, said it can make such an expensive promise because the company has complete faith in its isolation strategy. Instead of using detection engines to spot dangerous websites, Menlo provides customers with a browser in the cloud that protects enterprises from known security threats.

“We have figured out a way to take what the isolated browser sees and mirror it back to the local browser,” he said.

Guruswamy said the isolation approach protects companies from user workarounds and allows users to maintain access to familiar tools. He used the example of doctors who need to check a Gmail account while at the hospital. 

“Lots of doctors have patients outside the hospital that they need to check on, but many hospitals block Gmail,” he said. 

Guruswamy said that isolation is the only way to truly achieve zero trust.
“Our contention is that what many people call zero trust is more like conditional trust,” he said. By assuming that all traffic is risky and executing all browser code in the cloud, that creates a virtual air gap between the internet and the company.

Menlo has applied the same approach to email by creating a gateway that integrates with Office 365. Before a link lands in an inbox, the gateway changes the link to run it through the cloud proxy. The software doesn’t analyze the link until a user clicks on it.

“The link goes through our isolated browser and we allow admins to put the entire webpage into read only mode,” he said. “If you can’t type in your email and password, you can’t be phished.”    

Also see