Netskope Threat Protection recently detected an interesting PDF decoy hosted in Google Drive. The PDF decoy was impersonating a law firm in Denver, CO. The PDF decoy linked to an Office 365 phishing page hosted in Azure blob storage. As the phishing bait is hosted in Azure blob storage, it has a Microsoft-issued domain and SSL certificate. The combination of the Microsoft domain, certificate, and content make this bait particularly convincing and difficult to recognize as phishing. In this post, we provide detailed analyses of the PDF decoy and phishing site. Along the way, we identify similar phishing sites hosted in Azure blob storage. We conclude with some recommendations to help protect you and your organization from falling victim to similar phishing campaigns.
Netskope Detections
Netskope Threat Protection detects the PDF decoys described in this post as PDF_PHISH.Gen1
Disclosure
The phishing sites we discovered were reported to Microsoft on 17 September 2018.
Delivery
The PDF decoys traditionally arrive as email attachments to victims. They are crafted to contain legitimate content and come from legitimate sources. Often, attachments are saved to cloud storage services, like Google Drive. Sharing these documents with other users can result in the occurrence of a secondary propagation vector like the CloudPhishing Fan-out Effect. In this case, the document originally arrived in an email and was saved to Google Drive, where Netskope Advanced Threat Protection detected the file and prevented potential credential loss or fan-out.
Analysis of the PDF decoy
The PDF decoy impersonates a law practice based out of Denver and was named “Scanned Document… Please Review.pdf”. The PDF contains a link to download the actual PDF, shown in Figure 1.
Figure 1: Message displayed on execution of the PDF
Upon clicking the “Download PDF” hyperlink, the victim is presented with a message that the document is trying to connect to an Azure blob storage URL https://onedriveunbound80343[.]blob.core.windows.net as shown in Figure 2.
Figure 2: PDF decoy connecting to https://onedriveunbound80343[.]blob.core.windows.net
The phishing web page presented to the victim after clicking the hyperlink is shown in Figure 3.
Figure 3: Phishing web page displayed to the victim
This phishing webpage is hosted in Azure blob storage. As a result, it has a valid Microsoft-issued SSL certificate and is hosted on a Microsoft-owned domain, as shown in Figure 4.