Using public cloud services as landing pages, cybercriminals are attempting to phish the Office 365 credentials of unsuspecting users.
Hosting a malicious PDF and using Google’s storage.googleapis.com has become the latest trend in phishing tactics. First identified by Check Point, the PDF was made to look like a gateway to content available through SharePoint.
Should a victim follow the link, a phishing page is loaded asking for the user to login using their Office 365 credentials or organization ID. An Outlook window will launch to complete the login process, thus providing the requested document and providing threat actors with a plethora of usable information from which they may gain access to a user’s account.
The use of legitimate hosting services and obtaining a genuine PDF leads users to believe the phishing attempt is a legitimate endeavor.
Source code reveals a third-partly location from which the documents are loaded. Detection is possible since using a redirected landing page shows some suspicious activity.
This type of activity dates back to 2018 when the phishing pages were located on a malicious website, then moving to Azure storage, and finally, Google Cloud.
Indicators of Compromise