Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms

Think of phishing and most people will think of cleverly crafted emails designed to get you to click on malicious links. But new research shows that increasingly attackers are turning to seemingly legitimate and implicitly trusted collaboration tools to penetrate enterprise defenses. Here’s what they’re doing and how you (or your security vendor) can detect and stop these attacks.

Phishing Attacks Tap Collaboration Platforms

Phishing continues to be one of the most dangerous threats to organizations as an initial vector to infiltrate the network organization or to steal organization credentials. We see, on average, 8,000 entrances to phishing sites per month, all of which are blocked or logged by the Cato SASE Cloud (Figure 1).

Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms

Figure 1 – On average, we’re seeing 8,000 entrances to phishing sites per month

The bulk of phishing attacks typically rely on email domains such as Gmail to make it appear to unsuspecting victims that they are just receiving one more innocuous message from a trusted domain. But increasingly, we’re seeing the use of compromised accounts such as Microsoft “OneNote” and “ClickUp” to distribute URLs that are actually phishing attacks. Collaboration platforms have, in effect, become another vehicle for distributing malware.

Ransomware is on the Rise – Cato’s Security as a Service can help | Get the eBook

Staying Under the Radar

The delivery stage of such an attack starts with an email from a compromised email account in one organization, usually a known partner, that doesn’t attract suspicion. The use of a real email account makes the phishing attack appear to be a legitimate email. Unfortunately, the email is anything but legitimate. It typically contains some social-engineering script with a link to a compromised “OneNote” or “ClickUp” account that makes it challenging to detect. In the case illustrated below, the “OneNote” account even contains a “look-alike” file that is an image resource with a link that redirects the phishing victim to what appears to be the Office 365 landing page. The OneNote account is even designed to be replaced by other compromised accounts if the account being used is reset.

Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms

Figure 2 – The overall phishing attack flow starts with an “innocent” email (1) linking to a compromised account (2), such as OneNote, which redirects the victim to what looks like an Office 365 login page(3).

It turns out phishing attack is also hosted on a legitimate service called “Glitch” that is typically used for web development. The cybercriminals in this example made sure the attack would go undetected from delivery all the way to the final landing page by most of the security tools organizations commonly employ.

Phishing Kit Anatomy

These attacks are also unique in that once credentials are submitted, the victim’s data is being sent using HTTP-POST to the “drop URL” that is placed in a remote server. In most of the attacks that we’ve analyzed, the most common PHP remote drop file name was named next.php or n.php.

Fortunately, many of the perpetrators of these attacks don’t remove the phishing kit from the attack’s web server. By probing the site, you may find the phishing kit placed within the site such as the Office 365 example below:

Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms

Figure 3– Open directory listing contains phishing kit

This analysis makes it then possible to identify characteristics of the phishing kit that can be used to find new ways to block phishing domains that now routinely include collaboration platforms.

Phishing Kit Code Analysis

Going deeper, we also dissected some of the kit to uncover a few interesting pieces of code that are worth noting.

For example, we can see the email that is used to receive the victim information (see Figure 8.). Usually, phishing kits are sold on the Darknet for relatively low prices. Looking at the analyzed PHP code snippet of the phishing kit (Figure 8), the “$recipient” variable should be filled by the buyer’s drop email to capture the compromised credentials. However, the comment “Put your email address here” also make it easy for even someone with no coding skills to configure the attack settings.

Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms

Figure 4 – phishing kit code settings

In addition, we can see the $finish_url variable is set to Office’s o365. That means once the credentials are submitted the victim will be redirected to the official O365 website, so they don’t suspect that he was a victim of a phishing scam.

Another interesting element is the validation of the authentication. If the authentication is validated then the victim information will be encoded with bas64 and sent to a specific chosen URL. The URL is encoded in base64 to obfuscate the URL destination (inside the function base64_decode). The purpose of this URL is to be used as a DB file with all the victim’s information.

Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms

Figure 5 – Authentication code snippet

As can be shown in the snippet (Figure 8) the information that the phishing scam exfiltrated is not only the credentials of the victim but also additional information such as client IP, country, region, and city.

Analysis of Phishing Kill Chain Identifies Emerging Technique That Exploits Trust in Your Collaboration Platforms

Figure 6 – Exfiltrated information

We have also analyzed domains that use the same phishing kit so we can see a few network characteristics that can be used to block this campaign.

For example, once you submit the credentials you receive the following response from the server {“signal”:”ok”,”msg”:”InValid Credentials”}. We have observed similar responses received from different phishing domains that use the same kit. This behavior can be used to detect a user that inserted information required by the phishing attack.

Attackers Are Able to Evade Phishing Solutions

While there are many solutions for detecting phishing, we still see adversaries finding new techniques to evade them. The use of trusted collaboration platforms is more much insidious than the familiar email-based attack that most security teams already know how to counter. However, it’s also apparent that by examining code and network attributes, IT teams can detect and stop these attacks.