Microsoft has issued a warning about cyberattack campaigns that misuse legitimate file hosting services, such as SharePoint, OneDrive, and Dropbox, to evade security measures.
These services, widely used in enterprise environments, are being exploited to launch business email compromise (BEC) attacks, which can result in financial fraud, data theft, and further infiltration of corporate networks.
The tactic, known as “living-off-trusted-sites” (LOTS), enables attackers to blend malicious activity with regular network traffic, making it harder to detect. This strategy bypasses standard email security filters by exploiting the familiarity and trust users have in these file-sharing platforms, allowing malware delivery and phishing attempts to go unnoticed.
Since April 2024, researchers have observed a growing trend of phishing campaigns leveraging these legitimate services. These attacks often begin by compromising a user within a trusted organization or vendor. The hackers then upload malicious files to the file hosting service and share them with their intended targets.
The phishing emails used in these campaigns direct the recipient to restricted, “view-only” files that require login credentials for access. Once the recipient signs in and re-authenticates using a one-time password (OTP), they are prompted to click a link to view the content.
However, this link redirects them to a fake login page, where their password and two-factor authentication (2FA) tokens are stolen. With these details, attackers can take over the victim’s account, allowing them to launch further attacks, including BEC scams and financial fraud.
Microsoft has identified these campaigns as highly opportunistic but sophisticated in their use of social engineering, evasion techniques, and broad reach.
Alongside this, a new phishing kit called Mamba 2FA has been uncovered by researchers, offering phishing-as-a-service (PhaaS) for $250 per month. This kit helps threat actors intercept login credentials and 2FA tokens by mimicking Microsoft 365 login pages, further enabling account takeovers and fraud.
To protect against these types of attacks, businesses and individuals must be vigilant when receiving unexpected file-sharing invitations, even from trusted platforms. Always verify the source of such emails and avoid clicking on unfamiliar links or entering login credentials without checking the legitimacy of the request.
Implementing phishing-resistant multi-factor authentication (MFA) methods and educating employees about the dangers of these schemes can help prevent unauthorized access. Organizations should also maintain updated security software and regularly monitor for suspicious activities to mitigate the risks posed by such phishing campaigns.