A Growing Trend of BEC Attacks Misusing Legitimate File Sharing Platforms

Since mid-April 2024, Microsoft has reported a rise in business email compromise (BEC) campaigns that abuse legitimate file hosting services like SharePoint, OneDrive, and Dropbox. These attacks notably use files with restricted access and view-only permissions to target specific users and evade detection. By leveraging trusted, legitimate sites, attackers lower suspicion and bypass traditional security barriers. Microsoft identifies these attacks as particularly dangerous because the emails are legitimate file-sharing notifications, rather than typical phishing attempts, disrupting the usual phishing infection flow. These tactics lure victims into re-authenticating, increasing the attackers' chances of capturing user credentials and obtaining a fresh session token for abuse. "While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants," Microsoft warns.

As detailed by Microsoft, the attack chain begins when a threat actor compromises a trusted user from a legitimate vendor, often through a password spray or adversary-in-the-middle (AiTM) attack. Once they obtain access to the compromised user’s file hosting app, the attacker replays a stolen token to log in. The next step involves creating a malicious file and sharing it with targeted recipients via email. The file is sent with access restrictions, and the targeted user receives a legitimate-looking notification prompting them to authenticate before accessing the file. "This email is not a phishing email but a notification for the user about the sharing action," Microsoft notes. The recipient is then led to an AiTM page where they are asked to re-enter their credentials and MFA information, which the attacker captures, securing the user's session token.

With access to session tokens and credentials, the attacker can continue their campaign, using the compromised user’s file hosting app to further distribute malicious files or launch additional BEC attacks. These campaigns not only result in credential theft and BEC attacks but can also lead to lateral movement within networks, potentially compromising endpoints and causing further damage. A broad range of impact is reported by Microsoft including financial fraud, data exfiltration, and the expansion of their campaign into other accounts. As Microsoft warns that these attacks not only compromise individual accounts but can also result in broader breaches across multiple accounts and tenants. To defend against these attacks, Microsoft advises organizations to implement measures such as multi-factor authentication (MFA), continuous access evaluation, and enabling Conditional Access policies to detect suspicious sign-ins and prevent unauthorized access