How attackers are weaponizing Dropbox to deploy phishing attacks

Dropbox, a popular cloud storage service, has become an unexpected tool in the hands of cybercriminals. Malicious actors are leveraging the platform to distribute phishing emails, a tactic that is becoming increasingly difficult to defend against.

How Does It Work?

Traditionally, phishing emails contain malicious links or attachments which, when clicked or downloaded, can infect a device with malware, or ask a user to put their login details into a fake website where an attacker can then steal them. However, cybercriminals are now using Dropbox to host these malicious files, which makes their attacks more convincing and importantly, harder to block. This is because they can now get into a users email inbox in the same way that a legitimate Dropbox email can when a file is shared.

Here is what we are seeing:

1. The Phishing Email: A seemingly legitimate email arrives in your inbox, often posing as a notification from a trusted organisation such as a partner organisation.
2. The Malicious Link: The email contains a link that directs you to a Dropbox file. This file is named something like proposal.pdf to get you to open it.
3. The Malicious File: The Dropbox file, disguised as a proposal pdf document, contains a link in it to access the file. Once you click this link, a phishing website opens up.
4. The Phishing website: The Phishing website appears to be the login page for Microsoft, but on checking the website address we can see that it is not the legitimate site. It asks for a username and password.
5. Logging in: If you put your username and password in the website, it will then ask for your Multi Factor Authentication (MFA) code. Effectively this site sits in the middle between the user and the actual Microsoft site, and relays on the username, password and also later the MFA code.
6. Automated Attack: Once the attacker obtains your login details, we can see that there are then multiple attempts from different countries to login as that individual. This indicates that the attack is automated and the attackers are trying to bypass any location restrictions that are in place.
7. Successful Attack: When the attack is successful, the cybercriminals gain access to your mailbox. This is called Business Email Compromise (BEC) and is often the starting point for an attacker to monetise the attack, most likely invoice fraud.

Why Dropbox?

• Legitimacy: Dropbox is a widely recognized and trusted platform. This makes it easier for cybercriminals to bypass initial security checks because most organisations would allow and expect emails to come in from Dropbox. It is important to note that other file sharing sites have also been used for Phishing purposes in a similar way but Dropbox is arguably the most well known.
• File Sharing Simplicity: Dropbox offers easy file sharing capabilities, allowing attackers to quickly distribute malicious content to a large number of potential victims.
• Security Bypass: By hosting malicious files on Dropbox, attackers can circumvent traditional email security measures that often filter out suspicious attachments.

Protecting Yourself from Dropbox-Based Phishing Attacks

While Dropbox itself is not inherently malicious, it is essential that you remain vigilant and take proactive steps to protect your organisation from these types of phishing attacks. Below are a number of key steps that you can take to help mitigate risk:

1. Training for your staff: One of the first questions that the Information Commissioner’s Office (ICO) will ask in the case of a serious data breach is likely to be whether staff have received adequate training. It is really important to make sure that staff know what to look out for when it comes to Phishing Attacks. Equally important is that they understand how to report any Incidents so that the Detection and Response function is able to respond effectively.
2. Phishing Simulations: You can supplement end user awareness training with Phishing Simulations to ensure staff are keeping a keen eye out for any malicious emails.
   need to be sure that it is not a password that is used on other important systems as the attackers now have access to it.
3. Enable Multi-Factor Authentication: Even though Whilst MFA was not effective in this instance, it is still the best control that we have for strengthening access to cloud based systems and should be in place wherever possible.
4. Geo-Location Blocking: We found that Geo-location Blocking policies in Office 365 were very effective in blocking this type of attack. They should therefore be implemented as an additional layer of protection to the login process.
5. Microsoft 365 Security: As a key system that organisations use to process critical information, ensure you are getting the most out of the Microsoft Security stack as there are some really powerful tools in there. Smartdesc can help with a Microsoft 365 Assessment and feed into a roadmap or explanation of the capabilities that you can leverage.
6. Managed Detection and Response (MDR): Having an effective way to respond to security incidents is as important as having strong preventative measures in place. MDR solutions are available in different shapes and sizes to help ensure that your risk is lower when an incident does occur.

If you are interested in learning more about any of the above, you can book into a free Information Security consultation here to talk to one of our Information Security Team who will be happy to answer your questions.