Netskope Threat Labs publishes a monthly summary blog post of the top threats we are tracking on the Netskope platform. The purpose of this post is to provide strategic, actionable intelligence on active threats against enterprise users worldwide.
Summary
- Attackers continue to attempt to fly under the radar by using cloud apps to deliver malware, with 51% of all malware downloads in July originating from 155 cloud apps.
- Microsoft Live Outlook users were targeted with a widespread phishing campaign containing a PDF attachment that urged victims to update their Amazon billing details.
- The RagnarLocker and Rhysidia ransomware were among the top malware families detected on the Netskope platform in August.
Cloud Malware Delivery
Attackers attempt to fly under the radar by delivering malicious content via popular cloud apps. Abusing cloud apps for malware delivery enables attackers to evade security controls that rely primarily on domain block lists and URL filtering, or that do not inspect cloud traffic. In August 2023, 51% of all HTTP/HTTPS malware downloads originated from popular cloud apps, decreasing from July but still above its six month low of 49%.
The total number of cloud apps from which malware downloads originated also fell slightly, with malware downloads originating from 155 distinct cloud apps.
Attackers achieve the most success reaching enterprise users when they abuse cloud apps that are already popular in the enterprise. Microsoft OneDrive, the most popular enterprise cloud app, has held the top spot for the most cloud malware downloads for more than six months. For four straight months, the percentage of cloud malware downloads originating from Microsoft OneDrive had fallen, but appears to have stabilized at 23% in August. Malware downloads from Microsoft Live Outlook increased significantly in August, propelling it into the second place spot for the first time. Otherwise, the top ten apps remained largely unchanged and included free software hosting sites (GitHub), collaboration apps (SharePoint), free web hosting services (Weebly), cloud storage apps (Azure Blob Storage, Google Drive, Amazon S3), webmail apps (Outlook.com), and document sharing apps (DocPlayer). In total, the top ten accounted for two-thirds of all cloud malware downloads, with the remaining one-third spread over 145 other cloud apps. The top ten list is a reflection of attacker tactics, user behavior, and company policy.
The Rise of Microsoft Live Outlook
The sudden increase in malware downloads from Microsoft Live Outlook in August was caused primarily by a phishing campaign that began mid-month and continued through the end of the month. The attacker sent emails with a single-page PDF attachment that urged victims to re-enter their Amazon billing information. The attacker used a common social engineering technique, creating a false sense of urgency, by claiming the account was on hold and violating Amazon’s ToS. The attacker specifically targeted personal Microsoft Live Outlook accounts (not organizational Outlook.com email accounts). The effect of this widespread campaign is also visible in the next section as a rise in the number of malicious PDFs detected on the Netskope platform. The following is a screenshot of the PDF.
Top Malware File Types
Malicious PDF files continued to rise for the fourth consecutive month, claiming the top spot for the second consecutive month. This month’s increase was caused largely by the aforementioned phishing campaign targeting Microsoft Live Outlook users. Malicious EXE files edged out ZIP files for the second spot, while the rest of the top malicious file types remained largely unchanged from last month.
Top Malware Families
Attackers are constantly creating