Netskope Threat Protection recently detected an interesting PDF decoy hosted in Google Drive. The PDF decoy was impersonating a law firm in Denver, CO. The PDF decoy linked to an Office 365 phishing page hosted in Azure blob storage. As the phishing bait is hosted in Azure blob storage, it has a Microsoft-issued domain and SSL certificate. The combination of the Microsoft domain, certificate, and content make this bait particularly convincing and difficult to recognize as phishing. In this post, we provide detailed analyses of the PDF decoy and phishing site. Along the way, we identify similar phishing sites hosted in Azure blob storage. We conclude with some recommendations to help protect you and your organization from falling victim to similar phishing campaigns.
Netskope Detections
Netskope Threat Protection detects the PDF decoys described in this post as PDF_PHISH.Gen1
Disclosure
The phishing sites we discovered were reported to Microsoft on 17 September 2018.
Delivery
The PDF decoys traditionally arrive as email attachments to victims. They are crafted to contain legitimate content and come from legitimate sources. Often, attachments are saved to cloud storage services, like Google Drive. Sharing these documents with other users can result in the occurrence of a secondary propagation vector like the CloudPhishing Fan-out Effect. In this case, the document originally arrived in an email and was saved to Google Drive, where Netskope Advanced Threat Protection detected the file and prevented potential credential loss or fan-out.
Analysis of the PDF decoy
The PDF decoy impersonates a law practice based out of Denver and was named “Scanned Document… Please Review.pdf”. The PDF contains a link to download the actual PDF, shown in Figure 1.
Figure 1: Message displayed on execution of the PDF
Upon clicking the “Download PDF” hyperlink, the victim is presented with a message that the document is trying to connect to an Azure blob storage URL https://onedriveunbound80343[.]blob.core.windows.net as shown in Figure 2.
Figure 2: PDF decoy connecting to https://onedriveunbound80343[.]blob.core.windows.net
The phishing web page presented to the victim after clicking the hyperlink is shown in Figure 3.
Figure 3: Phishing web page displayed to the victim
This phishing webpage is hosted in Azure blob storage. As a result, it has a valid Microsoft-issued SSL certificate and is hosted on a Microsoft-owned domain, as shown in Figure 4.
Figure 4: Phishing webpage hosted in Azure blob storage
At face value, seeing a Microsoft domain and a Microsoft-issued SSL certificate, on a site asking for Office 365 credentials is pretty strong evidence that the site is legitimate, and are likely enough to convince a user to enter their credentials. Upon clicking continue, the victim’s credentials are uploaded to https://searchurl[.]bid/livelogins2017/finish40.php as shown in Figure 5.
Figure 5: Victims credentials uploaded to https://searchurl[.]bid/livelogins2017/finish4.php
The victim is then directed to another phishing page hosted in blob storage https://onedriveunbound80343[.]blob.core.windows.net/exceltyrantship68694/excel-login-2.html through the referer https://searchurl[.]bid/livelogins2017/finish40.php.
Figure 6: Redirection to another phishing page
The phishing page displays a message that the email or password is invalid. This message displayed is not a result of validating the credentials, but instead hard-coded as shown in Figure 7.
Figure 7: Phished page displays a message that the email or password is invalid
Upon entering the details again, the victim’s credentials are again sent to https://searchurl[.]bid/livelogins2017/finish4.php as shown in Figure 8.
Figure 8: Victims credentials uploaded to https://searchurl[.]bid/livelogins2017/finish4.php
The victim is then shown a series of redirects to several landing pages posing to download the secured document as shown in Figure 9.