Hackers Exploiting Popular Document Publishing Sites for Phishing Attacks

Threat actors are exploiting various digital document publishing platforms to conduct phishing, credential theft, and session token hijacking. Cisco Talos researchers highlighted this trend, noting that using DDP sites increases phishing success rates due to their positive reputation, absence from web filters, and familiarity to users.

Unlike previous methods using cloud service, attackers now turn to DDP servers for hosting phishing documents, aiming to bypass email security measures. These platforms allow PDF files to be shared as interactive flipbooks, offering animations and other effects. Adversaries exploit DDP’s free tiers or trial periods to create multiple accounts and share malicious content. Additionally, DDP sites automatically remove content after a set period, making it harder to trace. Productivity features like Publuu’s integration hinder link extraction and detection in phishing emails.

Analyst Comments:
In their attacks, threat actors embed links to DDP-hosted documents in emails, leading victims to fake Microsoft 365 login pages to steal credentials. Researchers warn that DDP sites pose a challenge to defenders as they are less known and evade email and web content filters, providing an advantage to attackers in phishing campaigns.

Suggested Corrections:
Researchers at Cisco Talos have published recommendations to defend against phishing attacks that leverage DDP sites:

  • Block common DDP sites via border security devices, endpoint detection and response (EDR) like Cisco Secure Endpoint, web content filtering, and/or DNS security controls if access to these sites is not required for normal business operations. If blocking these sites will disrupt normal operations, develop a procedure to ensure malicious domains identified in DDP-hosted phishing lures can be quickly blocked.
  • Configure email security controls to detect and alert on links in emails containing common DDP site URLs.
  • Leverage threat intelligence to quickly identify newly created sites related to known threats – in this case, new DDP sites that may be leveraged by threat actors.
  • Monitor for behavioral trends within the organization’s internal environment that could indicate coordinated malicious activity, including activity to blocked sites.
  • Update user security awareness training to include information about DDP sites and other cloud-hosted phishing attack methods. Reinforce a “see something, say something” mentality when users are uncertain about a site’s legitimacy.

End users can also support defenders by remaining vigilant for documents shared over unusual or uncommon sites, even if those sites are legitimate and have a favorable reputation, and by following their organization’s guidelines for reporting suspicious emails.