Threat Research

Credential Caution: The New Cloud File-Borne Phishing Attack – InQuest

Securonix

InQuest Labs analyzed a credential phishing campaign targeting a municipal government, tracing a sequence from a compromised sender to a cloud-hosted phishing infrastructure. The attacker used Raven cloud hosting and Microsoft Azure blob storage to lure victims with a fake invoice and a login form, exfiltrating credentials via AJAX to a remote server. #InQuestLabs #AzureBlobStorage

Keypoints

  • The email arrived from a compromised sender account associated with the municipality’s county health agency.
  • The lure is a payment invoice with subjects like “Payment” and “Due Payment.”
  • The HTML email links to a PDF on Raven (app.raven[.]com), described as a “Free, secure and robust cloud-based document management.”
  • The PDF acts as a click-based redirector to a remote URL hosting a phishing form, a fake Microsoft account login page on Azure blob storage.
  • Credential submission is exfiltrated via an AJAX request to a remote site hosted on a compromised server.
  • The campaign uses multiple cloud hosting providers (Azure, Raven, Backblaze B2) to host phishing content and dropzones, illustrating abuse of public cloud storage infrastructure.
  • Mitigation emphasizes MFA (hardware keys, FIDO2, authenticator apps) and retroactive hunting for indicators and infrastructure.

MITRE Techniques

  • [T1566.003] Spearphishing via Service – The email arrived from a compromised sender account address. “The sender organization in the observed samples is the municipality’s county health agency.”
  • [T1566.002] Phishing: Spearphishing Link – The HTML email contains a URL pointing to a PDF document stored on Raven (app.raven[.]com), an online service described as “Free, secure and robust cloud-based document management.”
  • [T1583] Acquire Infrastructure – Most are also hosted on Azure, and at least one is hosted on Backblaze B2, illustrating a continued trend of abusing public cloud storage for malicious file hosting infrastructure.
  • [T1056.003] Input Capture: Credentials in Web Forms – The phishing page hosts a Microsoft account credential phishing page that collects user inputs.
    “The Microsoft account credential phishing page.”
  • [T1041] Exfiltration Over Web Service – Upon supplying credentials to the login form, data is exfiltrated via an AJAX request to a remote site that appears to be hosted on a compromised web server.

Indicators of Compromise

  • [URL] PDF storage – https://app.raven[.]com/share/3WNY9XHYL9J5T5JTE4XXA9353MN3HO, https://app.raven[.]com/share/4VA9U6YITENWUM7PO2N7KYW7TLM6KC and 2 more items
  • [Domain] Phishing content hosting – emmwppe.blob.core.windows[.]net, vlpvoovi.blob.core.windows[.]net and 8 more items
  • [URL] Dropzones – https://zumatrip[.]com/wp-includes/widgets/F1.php, https://formspree[.]io/f/xlekbzvj, https://fredericchaix[.]com/controllers/admin/RV.php
  • [Hash] PDFs – cb2549146b9ccfead42672e9d48e515c6234eb81f9f0448f3cf52974dd4045f8, f41004462113ddf751d15b4aa81b2808b7730f0e6f51449f0d958aa2a88fbe73

Read more: https://inquest.net/blog/2023/03/22/credential-caution-exploring-new-public-cloud-file-borne-phishing-attack

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint