Netskope Threat Protection recently detected an interesting PDF decoy hosted in Google Drive. The PDF decoy was impersonating a law firm in Denver, CO. The PDF decoy linked to an Office 365 phishing page hosted in Azure blob storage. As the phishing bait is hosted in Azure blob storage, it has a Microsoft-issued domain and SSL certificate. The combination of the Microsoft domain, certificate, and content make this bait particularly convincing and difficult to recognize as phishing. In this post, we provide detailed analyses of the PDF decoy and phishing site. Along the way, we identify similar phishing sites hosted in Azure blob storage. We conclude with some recommendations to help protect you and your organization from falling victim to similar phishing campaigns.
Netskope Detections
Netskope Threat Protection detects the PDF decoys described in this post as PDF_PHISH.Gen1
Disclosure
The phishing sites we discovered were reported to Microsoft on 17 September 2018.
Delivery
The PDF decoys traditionally arrive as email attachments to victims. They are crafted to conta