Keypoints
- Phishing emails were sent from a legitimate Dropbox address containing a PDF that linked to mmv-security[.]top, a credential-harvesting site.
- Darktrace/Email initially held the malicious messages, later moved reminders to junk and applied link-locking to prevent clicks.
- An employee eventually opened the PDF and visited mmv-security[.]top, which hosted a fake Microsoft 365 login page used to harvest credentials.
- Compromised Microsoft 365 credentials were used from unusual IPs (including VPN-associated addresses), indicating account takeover and possible MFA approval bypass.
- The attacker created an Outlook email rule to hide messages from the accounts team and used the compromised account to send follow-up phishing emails internally.
- Darktrace/Apps and Darktrace/Network detected unusual SaaS logins and device connections; RESPOND was not enabled for autonomous containment in this case.
MITRE Techniques
- [T1078.004] Cloud Accounts – Used to access and persist in the compromised Microsoft 365 account; ‘Further investigation into this suspicious domain revealed that it led to a fake Microsoft 365 login page, designed to harvest the credentials of legitimate SaaS account holders.’
- [T1538] Cloud Service Dashboard – Adversaries targeted cloud service access and management vectors as part of the campaign; ‘Cloud Service Dashboard’ (mentioned in MITRE mapping).
- [T1586] Compromise Accounts – Attackers used harvested credentials to compromise SaaS accounts and send additional malicious emails; ‘Compromise Accounts’ (listed under Resource Development).
- [T1539] Steal Web Session Cookie – Session/credential harvesting techniques were used to obtain access to SaaS sessions; ‘Steal Web Session Cookie’ (listed under Credential Access).
- [T1137] Outlook Rules – The actor created a new Outlook rule to move emails from the accounts team into ‘Conversation History’ to evade detection; ‘creating a new email rule on the compromised Outlook account.’
- [T156.002] Spearphishing Link – The campaign used a malicious link embedded in a Dropbox-hosted PDF to redirect users to the credential harvester; ‘The email itself contained a link that would lead a user to a PDF file hosted on Dropbox.’
Indicators of Compromise
- [Domain] credential-harvesting endpoint – mmv-security[.]top (fake Microsoft 365 login)
- [IP Address] unusual login endpoints – 73.95.165[.]113, 194.32.120[.]40, and 2 more IPs observed (185.192.70[.]239, 87.117.225[.]155)
- [Email Sender] legitimate-looking sender used for phishing delivery – no-reply@dropbox[.]com (used to deliver the malicious PDF link)
On January 25, 2024, employees received emails from no-reply@dropbox[.]com containing a Dropbox-hosted PDF that embedded a link to mmv-security[.]top. Although the Dropbox sender and hosting were legitimate, the PDF redirected users to a credential-harvesting page impersonating Microsoft 365. Darktrace/Email initially held the messages, later junked reminder emails and applied link-locking to block direct access to the malicious domain, but one user still opened the PDF and followed the link.
Network and SaaS monitoring then showed the internal device connecting to mmv-security[.]top and the stolen credentials being used to log into Microsoft 365 from multiple unusual IPs (some tied to ExpressVPN and HMA), indicating attacker use of VPNs and successful circumvention of MFA—likely via user-approved verification or token disclosure. The attacker created an Outlook rule to move accounts-team emails into Conversation History, and used the compromised account to send updated phishing emails (subjects like “Incorrect contract” and “Requires Urgent Review”) to propagate the campaign internally.
Darktrace/Apps and Darktrace/Network flagged the anomalous logins and activities (multiple unusual external sources, unusual MFA auth, new email rule), enabling the customer’s security team to take the account offline. Autonomous RESPOND actions were not enabled in this incident; had RESPOND been active it could have immediately logged out and disabled the suspicious actor upon detection.