Recently published research is revealing a growing in popularity trend where both Microsoft and Google cloud-based infrastructures are being used by attackers as a means of targeting users utilizing popular cloud tools and spreading harmful messages to them.
During the Covid-19 pandemic, many threat actors have shifted their attention to the trustworthy cloud-based services the two tech giants are offering with the idea to conceal numerous phishing scams by making them appear legit.
Researchers have detected that for the period from January to March this year alone, nearly 7 million malicious emails have been sent from Microsoft 365’s and nearly 45 million from Google’s infrastructure. According to the published information, fraudsters have actively been using tools like Office 365, Azure, OneDrive, SharePoint, G suite, and Firebase storage to send phishing emails and host various attacks.
A shocking revelation of the report points out to the fact that the volume of malicious messages passed through these trusted cloud services has significantly exceeded that of all Botnet services in 2020.
The usage of popular domains like outlook.com and sharepoint.com adds up to the problem of detection. Meanwhile, email has recently regained its status as the leading vector for ransomware distribution where attackers get quite crafty in creating convincing phishing email messages.
A number of instances where Microsoft and Google cloud services have been used for the distribution of phishing campaigns were detected, all of which attempting to trick users to enter their personal information or download malware.
Many of the lures have been using COVID-19 as a bait, pretending to be important guidelines or documents related to the pandemic, researchers are sharing.
In another example of an effective credential-stealing campaign, fraudsters have distributed a video conference credential collection e-mail by hiding it behind the “onmicrosoft.com” domain name.
In a new malicious campaign that has started in March, attackers have utilized Gmail to host another attack that distributed a Microsoft Excel attachment that delivered the Trick Banking Trojan once macros were enabled.
Xorist ransomware has also been distributed since February through a Gmail-hosted campaign in a similar fashion where a zipped MS Word attachment that required the victim’s password to get unlocked delivered the threat the moment macros were enabled.
The exploitation of Gmail and Microsoft by attackers to provide their emails with a veneer of validity is part of a growing trend that points to one thing – threat actors are using more and more persuasive lures than ever before.