Hackers Attempt to Steal Microsoft Account Login Data Using a Clever Google Drive Scam

Some login credentials are more valuable than others, and not surprisingly, the phishing attacks aimed at the important accounts tend to be much more sophisticated and well-thought-through. In January, researchers from Check Point stumbled upon a phishing campaign, which they only wrote about on Tuesday, and they showed us just how difficult to detect the well-designed attacks could be.

Scammers tried to steal users’ Office 365 credentials with a clever phishing attack

The emails were sent to employees of organizations that use Office 365. First, the message would redirect the victim to a cloud-hosted PDF file that contained a link, supposedly leading to a shared document the employee is interested in. The link redirected to what looks like a SharePoint login page that asked the user to sign in. They could do it either with their Office 365 credentials or with their organization ID. Whichever option they chose, a popup with a convincing-looking Microsoft login form would appear, and any information they entered into it would be sent directly to the crooks.

If you go through Check Point's screenshots, you'll see that the grammatical and spelling mistakes we often associate with phishing attacks are nowhere to be seen. The formatting is pretty much exactly the same as the original, and throughout the entire operation, users might easily be fooled that they really are about to log into their Microsoft accounts. What's more, once they enter their login credentials, they are redirected to a genuine report from a global consulting firm, which could make everything even more believable. This is not the only thing that makes this attack stand out from the rest.

The phishers used Google’s cloud services extensively

The first PDF the victims saw was hosted on Google Drive. The SharePoint-impersonating page it linked to had also been uploaded to Google's cloud hosting services, and so was the malicious login form itself.

Obviously, seeing a Microsoft login page hosted on infrastructure owned by Google is not normal, but the scammers knew that few users tend to pay close attention to the address bar when they're entering their login credentials. They also knew that the ones that do are less likely to become suspicious if they see a domain they recognize.

By using Google's services, the phishers also manage to avoid close scrutineering both from automated tools and from system administrators monitoring the employees' activities. All in all, the use of Google's cloud made the attack much more likely to succeed.

The attack was organized by a group of seasoned phishers

The level of sophistication demonstrated by the phishers shouldn't be that surprising considering how much experience they have. Shortly after discovering the attack, the researchers notified Google, and the malicious pages were taken down. Before they went offline, however, Check Point's experts combed through the source code and noticed that although the pages were hosted on Google's cloud, the majority of the resources were loaded from prvtsmtp[.]com, an external domain.

The domain was pointing to a Ukrainian server that has been used in quite a few phishing campaigns. First, it hosted the malicious pages itself, and it was later a part of the infrastructure during attacks that utilized Microsoft's Azure cloud services.

Check Point's researchers helped put an end to the attack they discovered in January, but they are unlikely to stop the experienced group of phishers that stand behind it for good. Only time will tell what the cybercriminals' next move will be. In the meantime, employees the world over need to be especially careful where and when they enter their login credentials.