Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog
Same Tricks, Different Methods – Phishing Via SaaS!

Same Tricks, Different Methods – Phishing Via SaaS!

Oz Wasserman
May 10, 2023
4 min read

For many years, phishing has been one of the top attack vectors on the security team’s mind. According to APWG, the second quarter of 2022 alone had 1,097,811 total phishing attacks observed, a new record and the worst quarter for phishing that APWG has ever seen. As attacks grow in number, so does their sophistication. Adversaries are crafting better messages, going through deeper investigations to craft more targeted attacks, and using phishing kits to spread these attacks across organizations. It would appear fraudsters and cybercriminals behind the various tactics to fool and deceive never rest and now are looking to exploit SaaS based tools.  Reco and its customers have observed a new phishing method that goes beyond email and goes directly into SaaS collaboration tools, finding new and crafty ways to evade traditional phishing solutions.

As is common, most phishing attacks are delivered through email. This is because cyber criminals know this has been the main communication medium for companies to transfer information in and out of the organizations for decades. Because of that, most vendors that detect phishing attacks focus on email while using techniques such as URL and attachment scanning to try and find malicious attachments or links. Some vendors might also look at behavioral patterns on the sender and recipients of the email in order to try and see whether communication patterns via email are normal or abnormal. However, the phishing technique we are now observing within  Reco’s platform and verified by customers is going beyond email and instead goes straight through SaaS collaboration tools.

File sharing applications such as Onedrive, Google drive and Box allow for sharing within their tools, easily opening up the possibility for a total stranger to the organization to share a file with an employee. The way this new phishing scheme works is as follow:

  • Someone outside of the organization creates a file in one of the file sharing applications, makes it look as legitimate as possible for the targeted sender
  • Within the file sharing application, the person clicks share and choses the individual they want to target
  • The file sharing platform allows for a comment to ensure the person can personalize the information sent so it looks even more legitimate
  • Once the external person sends the file, the recipient from the organization targeted receives the file with the comment from the external user
  • When the recipient opens the file, the link to the phishing page can be embedded waiting to be clicked on or the malware is directly embedded via macro code

What is interesting about this method, is that it can get into the organization in various ways, depending on the settings of the organization’s file sharing tools. First, these file sharing services are at times sending automatic emails to employees letting them know that a file was shared with them, while including the personalized sharing message in the email. The From address of the email for Gmail users is actually drive-shares-dm-noreply@google.com making it look like a legitimate email address.

In addition to that, at some organizations we currently work with, there are Slack integrations with these file sharing tools, and every single time a file is shared via google drive, the user that the file is shared with receives a notification with the personalized message and the file itself. When the notification comes through within Slack, the instant messaging nature creates the notion that communication there is trusted and legit and thus users be even more likely to open the file.

We decided to try this form of phishing out for ourselves and leveraged the pattern of communication used by most organizations today to see what it looks like. We mimicked the communication between an external person with a private gmail account to our head of product marketing at Reco. You can see in this example that the file is being communicated as a marketing communication budget plan, and that the external user wrote a personalized message to direct the recipient to go into the link within the file and open other marketing budget plans, where the external user can apply the phishing technique with a fake login page. It is definitely worth mentioning that at times, even just opening the file can execute a macro function on the excel spreadsheet and install malware on the victim’s computer, all while evading traditional security tools and using the file sharing legit communication patterns to gain credibility with the victim.

The email that was received after the file was shared with the employee at Reco, pay attention to the from address (google.com) and the personalized message that was sent via the file sharing platform.

The notification received via Slack when the private gmail address shared the file with our employee at Reco.

The file sent to Reco with the phishing link in it (see the reference to phishing.com in the picture) .

As mentioned this type of activity is also being seen first hand by some of our customers; “We see an increase in attempts to phish our employees, while using new and interesting techniques through Google docs” says Xin Chen from the security team at Homelight. “We at Homelight have a Slack integration with our Google drive to enhance collaboration between teams, but in this case it notifies the user about the file shared and increases the risk of our employees opening these files from external attackers. We are happy to have a tool like Reco to help us address this issue”

At Reco, we built a data security detection engine with advanced analytics that allows us to quickly surface abnormal events that are happening with files that are shared in and out of the organization. Leveraging our contextual graph, we are able to see who has shared which files with the recipient before, and clearly see that the user outside of the organization that uses a private gmail account is not one of them. As a result, Reco will raise a high risk level finding and provides the security team with a remediation workflow based on their needs: either restrict the access to the file from anyone in the organization, or even allowing the security team to gain access to this file to look at its legitimacy once its shared from a never seen external email address.

In the example below, you can see the document shared with our head of product marketing (IC-Marketing-Communication-Budget-Plan-11037.xlsx), including who shared it, when was it shared, and whether the user is authenticated by Google. At Reco, we take the information from Google and correlate it within our contextual graph to see whether we have seen that user before, and how frequent is he communicating with the organization.

The raw information of files shared with our head of product marketing.

In order for your organization to protect their data and secure themselves from such phishing attacks, we suggest implementing a solution like Reco to help prevent SaaS data attacks from happening and to also have settings in place to reduce risk

  • First, ensure admins configure warning messages on external users via Gmail (or use this link if you are using Microsoft 365). This will alert users to treat any external information sharing with caution
  • Ensure you can detect and remediate file sharing attempts, even if they come directly from the file sharing tools themselves

Contact us to learn how a SaaS security solution can help you defend against malicious file sharing.

ABOUT THE AUTHOR

Oz Wasserman

Technical Review by:
Gal Nakash
Technical Review by:
Oz Wasserman

Request a demo
Table of Contents
Overview
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore Related Posts

SaaS Security
5 min

UiPath Leverages Reco for Data Exposure Management and Automation

Andrea Bailiff-Gush
April 25, 2024
Global software automation leader UiPath simplified SaaS data exposure and access management by sending alerts to Microsoft Sentinel of publicly exposed data located in shared Drives with the help of Reco.
SaaS Security
5 mins

How to Prepare Your Business for Microsoft Copilot

Dr. Tal Shapira
April 22, 2024
Learn how to prepare your business for Microsoft Copilot. Discover Copilot’s functionalities and capabilities but also its potential risks and challenges. Learn about the advantages of using Microsoft Copilot for your business and follow the best practices for secure deployment.
SSPM
5 mins

Navigating the New Frontier of AI Governance: Insights from Digital World Conference Summit

Dr. Tal Shapira
April 18, 2024
Organizations are looking to generative AI (GenAI) governance as the technology's risks and opportunities continue to emerge. Learn from the world's leading AI experts about security industry priorities around AI safety and governance in our recap of the Digital World Conference Summit.
See more articles from our blog