Dropbox Used to Steal Credentials and Bypass MFA in Novel Phishing Campaign

Security company Darktrace shared details around a new phishing campaign leveraging legitimate Dropbox infrastructure to bypass multi-factor authentication (MFA). Darktrace notes in their report that while it is common for attackers to exploit the trust of users by mimicking common services, this campaign took things a step further and actually used the legitimate cloud storage platform.

On January 25, 2024, a Darktrace customer received emails from no-reply@dropbox[.]com, a legitimate email address used by Dropbox. The email contained a link leading the user to a PDF file hosted on Dropbox, which was named after a partner organization of the victim. This PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, named “mmv-security[.]top.”

Because there is “very little to distinguish” malicious or benign emails from automated emails used by legitimate services, it can be an effective evasion technique to bypass security tools. Users may also be more likely to click links coming from legitimate sources.

On January 29, 2024, four days later, a user received another email from the legitimate no-reply@dropbox[.]com address, reminding them to open the previously shared PDF file. Although the message was moved to the user’s junk file, the employee went on to open the suspicious email and follow the link to the PDF file. The internal device connected to the malicious link mmv-security[.]top a few days later.

The link provided in the PDF led to a fake Microsoft 365 login page, which was designed to steal credentials.

On January 31, 2024, Darktrace observed several suspicious SaaS logins from multiple unusual locations that had never previously accessed the account. On February 1 logins were associated with ExpressVPN, indicating that the threat actors used a virtual private network (VPN) to mask their real location.

These logins appeared to use a valid MFA token, suggesting the attackers had successfully bypassed the organization’s MFA policy. The researchers believe the employee may have unknowingly approved an MFA authentication request to authenticate on their own device once they’d had their credentials compromised.

By using valid tokens and meeting the necessary MFA requirements, threat actors are often able to remain undetected by traditional security tools that view MFA as the silver bullet,” the researchers wrote. Despite the attackers bypassing MFA with legitimate credentials, the organization’s security team were still alerted to the suspicious activity after identifying unexpected activity on the SaaS accounts.

Security Officer Comments:
The researchers say these latest TTPs highlight the growing exploitation of legitimate popular services to trick users into downloading malware and providing login credentials. MFA continues to be a problem for cybercriminals, and this report shows their continued success at finding ways to evade standard security protocols including email detection tools and MFA. Impersonating trusted organizations like Microsoft and Dropbox is an effective way to socially engineer targets.

Most concerningly, MFA which has been the silver bullet against phishing attacks, is no longer the last line of defense against cyber-attackers, as they are increasingly finding ways to bypass it. That being said, MFA is still an essential part of account security where usernames and passwords are required, and should be implemented wherever possible.

Suggested Corrections:
In response to such targeted and sophisticated phishing attacks, organizations must prioritize comprehensive security measures. This includes continuous employee training to recognize phishing attempts, robust email security solutions capable of detecting evolving threats, and enhanced monitoring of user activities to swiftly identify anomalous behavior.