In this blog, we’ll focus on a credential phishing attempt where attackers hosted the phishing site on Box. The email claimed to come from a legitimate third-party vendor and included a link to a secure document. Clicking the link led readers to a page hosted on Box, followed by a credential phishing page that resembled the Office 365 login portal.
Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and highlight how Armorblox was able to detect the attack. In this blog, we’ll focus on a credential phishing attempt where attackers hosted the phishing site on Box. The email claimed to come from a legitimate third-party vendor and included a link to a secure document. Clicking the link led readers to a page hosted on Box, followed by a credential phishing page that resembled the Office 365 login portal.
A summary of the attack flow is given below:
Fig: A summary of the credential phishing attack hosted on Box
The Attack
A few days ago, we saw a credential phishing attempt to land in multiple customer inboxes. This email claimed to come from a third-party vendor and asked readers to review a secure document of a financial nature. Clicking the link took the targets to a page hosted on Box, a popular file-sharing solution. This page contained a document that claimed to be hosted on OneDrive and included a link to access the document. Clicking this link redirected users to the final credential phishing site resembling the Office 365 login portal. The footer text informs readers that the email link will only be active for a limited time, furthering the sense of urgency.
A snapshot of the email is given below:
Why The Attack Got Through
This email got past existing email security controls because it didn’t follow the tenets of more traditional phishing attacks.
1. Got past email authentication checks
Both the sender name and domain seem to point that the email came from a legitimate third-party vendor’s account, allowing it to successfully pass any authentication checks. The domain for the email - tidewaterhomefunding[.]com - belongs to a home mortgage lending company in Virginia. It’s possible that attackers got hold of an employee’s credentials at Tidewater Home Funding and subsequently used the legitimate email account to launch follow-on attacks.
Fig: Email header showing the (legitimate) domain of the sender
2. Phishing page hosted on legitimate site
The first page in this attack flow was hosted on Box, leveraging the reputation of the Box domain to get past any filters used to block known bad domains. The page looked like it was hosting a document that was shared over OneDrive, with plenty of Microsoft branding used to lull users into a false sense of security. The document displays ‘Secured by OneDrive’ on the top left corner, ‘OneDrive for Business’ emblazoned on the center, and ‘Powered by Office 365’ on the bottom left corner.
A closer look reveals some inconsistencies with the branding, but busy users are likely to rush through this page and click the very prominent ‘Access Document’ button to go to the final credential phishing page.
3. Zero-day link and lookalike pages
When users clicked on the ‘Access Document’ link on the Box page, they were redirected to a page resembling the Office 365 login portal. The parent domain for this page - nantuckettravel[.]icu - was created on 15 June 2020. This zero-day link allowed the attack to pass through any security filters designed to block known bad domains. More details about this domain are given below:
Both these pages - the first one hosted on Box and the final Office 365 phishing site - would pass most eye tests during busy mornings (which is when the email was sent out), with people happily assuming it to be legitimate pages.
4. Socially engineered
Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The email was sent from a legitimate third-party vendor account, leaving little cause for suspicion when people glanced through it amidst hundreds of other emails in their overflowing mailboxes. The email language and topic was intended to induce urgency owing to its financial nature. The call to action - Click here to pick up your documents - is simple and effective. The footer text informs readers that the email link will only be active for a limited time, furthering the sense of urgency.
How Armorblox Detected The Attack
Armorblox was able to detect the email attack based on the following insights:
1. Language, intent, and tone
Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks).
2. Low communication history
Armorblox detected that the sender email in question had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
3. Low domain frequency
Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model also detected that the attacker’s domain had not communicated with the target company as a whole.
4. Suspicious redirections
This attack redirects from Box to a page resembling Office 365, which is highly suspect. Armorblox detected the anomalous occurrence of the link redirecting to another page instead of having the file on the same domain (Box) itself.
Based on the insights above, along with many other detection signals, Armorblox flagged the email as a credential phishing threat. The email was automatically deleted based on predetermined remediation actions for the credential phishing detection category.
