The Week in Breach: 3 Phishing Threats Right Under Every Employee’s Nose

These 3 Phishing Threats Lurk Where You Least Expect Them

Phishing is the number one data breach risk and a plague on businesses. Every day, employees are inundated with dangerous messages, and some are harder for employees to spot than others, opening their employers up to trouble if a tricky message slips through. 97% of employees are unable to detect a sophisticated phishing message. Cybercriminals are more than happy to press their advantage by crafting sophisticated messages that can easily slip under an employee’s radar like these 3 threats.

Consent Phishing

An alternative to credential phishing (the more common type of phishing) is consent phishing. In a consent phishing scenario instead of attackers aiming to capture passwords with phishing login pages and other ruses, the bad guys utilize another tool: OAuth permissions. They use those requests to lure victims into a false sense of security because it isn’t an expected phishing tool. Bad actors send requests to their victims, and when the victims accept, the bad actor is granted access tokens that give the attacker account data from connected apps. In this scenario, sign-in is handled by an identity provider, like Microsoft or Google, rather than the end-user. That gives the bad guys an advantage: despite lacking a password, they can still take action to enable future cyberattacks on the victim by doing things like do setting a rule to forward emails from a target to an attacker-controlled email account.

Microsoft sounded the alarm on Twitter this week to warn businesses that a consent phishing scam is making the rounds. In the thread, Microsoft cautions that Office 365 customers are receiving phishing emails that aim to trick them into giving OAuth permissions to a sham app. When they do, the attackers can read and write emails on the victim’s account. Microsoft Security Intelligence disclosed that the malicious app is named “Upgrade”. When installed, it asks users to grant it OAuth permissions that would allow attackers to create inbox rules, read and write emails and calendar items and the victim’s contacts. The company said that hundreds of O365 customers have been sent the initial phishing message. Earlier this year, Microsoft noted in its blog that consent phishing emails or “illicit consent grants” that abuse OAuth requests have steadily increased in the last few years.

Reconnaissance Attacks/Bait Phishing

Reconnaissance attacks or bait phishing is another sophisticated threat that is currently making the rounds. A reconnaissance attack is heavily based on social engineering. In this scenario, the attackers attempt to bypass security by creating a highly believable message. Employees (and security solutions) are on the lookout for the common signs of a phishing message like bad grammar or misspellings. But bait phishing messages are carefully crafted to avoid those red flags. The aim of these phishing messages is to lure the recipient into a false sense of security that will entice them to click a link or download a file by establishing a dialogue.

Bait phishing usually starts with a friendly, unobjectionable message that serves two purposes for the bad guys: testing and/or penetrating the intended recipient’s email security defenses and verifying that the email address is in active use. The initial message is usually devoid of malicious links or files. It also doesn’t solicit any action from the recipient beyond a response. The goal with the initial message is to start a conversation with a potential target to lull them into believing that the bad guys are on the level and determine which potential targets are likely to interact with future messages.

If the target responds to the first message it’s game on for the bad guys. They can start phishing in earnest. Further messages to the target capitalize on the attacker’s initial toehold by going after the victim’s credentials, transmitting malicious links or passing along unsafe attachments. Lately, the messages in this version of phishing have been originating from Gmail – 91% of cybercriminals engaged in bait phishing utilize Gmail, leveraging the fact that Gmail is a very common source for messages and it’s highly unlikely that their fresh Gmail addresses will ping immediate alarms or be on anyone’s blacklist.

Hidden Danger Phishing Schemes

Many employees have become more aware of phishing, and they’ve learned to use caution in the places where the bad guys commonly set their traps. Security awareness training works, and employees who have been trained know to be wary of clicking strange links or interacting with unexpected messages, even on social media. So the bad guys have had to get creative. In another hard-to-detect phishing scenario, bad actors take advantage of the collaborative nature of today’s workspaces to sneak malicious links into places that employees may not be expecting them, like the comments section of a Google Doc.

To kick off their phishing operation, a bad actor creates a seemingly harmless Google Doc. That bad actor then adds their victim to the document by @ commenting them in the comments feature. When the cybercriminal takes that action, the victim is automatically sent an email with a link to the Google Docs file. The email that the target receives displays the entire contents of the comment, including the bad link and other enticing text added by the attacker. This scenario is so insidious because the victim never even has to interact with or open the document to be served the malicious link; it’s right there in the notification email, presented in a way that is likely to neatly bypass security. The same process can be used to kick off a phishing operation with most Google Workspace documents, giving bad actors plenty of choices and chances to lure in an unwary employee.

This phishing variant is practically tailor-made for companies that use Google Workspace in the course of everyday business, and it’s likely to be especially effective against remote workers and at large companies. The malicious message doesn’t contain the creator’s full email address, just their username. A savvy bad actor might even choose a username that would seem personally appealing and harmless to the recipient, like a colleague or family member’s name if they were focusing tightly on a particular target. It also capitalizes on both social engineering and the commonality of employees receiving and handling routine notifications every day. Employees constantly receive alerts that they’ve been mentioned in a comment on a document, making these dangerous messages a very slick way to phish.

This risk started gaining traction in late 2021 and kept picking up steam through the year’s end, prompting IT experts to put out warnings that this threat was becoming increasingly serious. By year’s end, that prediction came to fruition. Businesses have been faced with a wave of attacks that abused these commonly used productivity features included in Google Docs to send their employees potentially malicious content opening them up to danger.

These and Other Phishing Risks Deliver Danger to User Inboxes Daily

With risks like these around every corner, it’s easy to see why every company needs to make a powerful defense against phishing a top priority to avoid joining the ranks of the 60% of businesses that fold in the wake of a cyberattack.

Dark Web ID’s Top Threats This Week