Dropbox / SharePoint / Publuu Phishing

How do most phishing emails appear? Perhaps a legitimate email from someone within your contacts list asking you in broken English to open an attached PDF? Or, an email from what appears as a reputable source, such as services@Microsoft.com, except instead of “r” it uses the Russian Cyrillic for “g” (services@Micгosoft.com) and you mistakenly click on the link provided in the correspondence. The trick of the past was to lead victims to popular cloud-based services like Dropbox, SharePoint, etc., and hopefully the naïve user clicks on the malware sitting dormant on the hosting site.  While that form of attack is still at play, digital document publishing (“DDP”) sites are now the forefront of malware distribution.

Within the span of twenty minutes, I received two emails from two different entities, both that I work adjacent with or see their names tangentially associated with my line of work. Each was purported to be a link within Publuu, a legitimate organization used to send PDFs as periodicals as a soft of digital magazine.  Why Publuu? Well, it passes through ad-blocking and firewalls without resistance. The site, much like those contained in the preceding paragraph, likely will not prompt most email hosts to send the malicious message to spam, or otherwise require the potential victim to jump through hoops to access the message. Conversely, ProtonMail accounts are likely distributed to a spam account or are otherwise blocked by firewall due to the history of being used by attackers.

I haven’t sandboxed any of the links yet, however, according to The Hacker News, the link ultimately routes to a fake Microsoft 365 login page where the uninitiated will enter their credentials. Your login credentials will be captured upon entry, allowing the attacker to access your account and extract your personal information (largely, your credit card information). Alternatively, the phishing email may contain a link to an attacks website which may prompt an executable to begin upon entering the page.

The fact you receive one of these phishing emails from an email in your contacts list would suggest someone within sender’s organization has fallen victim to these phishing emails already and the malware has permeated and captured their servers – and contact lists. Otherwise, an attacker could access the DDP and tediously copy and create a legitimate infrastructure, then go through the cumbersome process of finding local businesses and contacts linked to the copy-cat business and send links to those people. The former is much more likely.

If you get an email from an organization linking to a DDP page, call the sender and determine the authenticity before accessing. Notify your IT, or run some rudimentary system audit to ensure no unintended guests are on your network.