- The file-hosting service is used to deliver malicious URLs in order to avoid email gateways.
- It was reported that the links were leveraged to steal the victim’s Office365 credentials.
Popular file-hosting service WeChat is being exploited in the wild as attackers are using it to spread phishing campaigns. This recent discovery was made by security firm Cofense. The threat used this platform to deliver malicious URLs so that they avoid email security gateways. According to Cofense, the actors are targeting major industries such as banking, energy, and media from these campaigns.
The big picture
- Victims receive an email notification from WeTransfer that notifies of a file shared with them. The links in these emails are legitimate. But, it contains an HTML file that redirects to the phishing page once downloaded.
- The experts from Cofense suggested that the attackers used compromised email accounts to send these malicious files. Furthermore, the email body describes an invoice to be reviewed by the victim.
- The phishing page asks victims to enter their Office365 credentials. However, other services apart from Microsoft accounts are also targeted.
The Cofense team indicates that this new style of delivering URLs through file-hosting services was to avoid email security gateways. “As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites,” said the researchers in their blog post.
“The PDC (Cofense team) has observed this attack method to bypass multiple gateways. These include ProofPoint, Office365 Safe Links, and Symantec,” concluded the researchers.