A recent phishing campaign has been spotted that uses a trio of enterprise cloud services to steal your credentials.
What’s going on?
This phishing campaign pretends to be from a helpdesk - servicedesk[.]com - mimicking similar wordings used by real IT helpdesks. Attackers used well-known enterprise cloud services including Microsoft Dynamics, Microsoft Azure, and IBM Cloud, to host their phishing pages. This added legitimacy to their campaign and also helped them bypass security filters that trust domains associated with such legitimate enterprise services.
The mechanism behind it
- The campaign seems to be legitimate due to the presence of renowned enterprise solutions.
- Domains hosted on IBM Cloud and Azure get free SSL certificates that include the organizations’ names, taking the legitimate appearance a notch higher.
- The lack of SPF, DMARC, and DKIM validations on the servicedesk[.]com domain allows attackers to take advantage of this domain.
Some instances of phishing campaigns
Recently, attackers utilized the Google Cloud infrastructure service to conduct phishing by attaching Google firebase storage URLs in phishing emails.
- This year May, phishing campaigns were spotted using Google Firebase Storage to bypass email security filters.
- In the same month, another phishing campaign was uncovered to be spoofing notifications from Microsoft Team’s collaboration platform to pilfer Office 365 credentials.
- Last year, a spearphishing campaign hit an energy service provider, impersonating the company’s CEO to send phishing emails that leveraged Google Drive.
Cases of abusing legitimate cloud infrastructure are going through the roof. Phishing emails are a pain in the neck for users across any domain and could lead to large-scale intrusions as well. With free SSL certificates, threat actors are able to bypass spam filters and security measures. Thus, more sophisticated security standards are the need of the hour to protect against evolving cyber threats.