Use of Legitimate Services Flashcards
In this lesson we will cover how attackers can utilize legitimate services to conduct phishing campaigns, and why this can often be a very effective tactic, working to avoid defenses put in place by security teams.
Email Delivery
Phishers will make use of legitimate services such as free email providers, to bypass defensive measures that can be implemented by defenders. Whilst we will go into detail about email blocking in the Defensive Measures section of this domain, organizations will typically not block webmail domains, such as:
@gmail.com
@outlook.com
@hotmail.co.uk
This is because, whilst a good amount of phishing emails will come from these domains (because anyone can create a free account and send mail), employees will likely use these domains to send messages to, or receive them from the organization’s domain with out-of-hours queries such as contact with HR for on-boarding or off-boarding, payroll queries, or communicating with customers.
This can happen with malicious actors taking advantage of email marketing services that allow emails to be sent to huge audiences, such as MailGun and MailChimp. This can be an effective tactic as organizations will typically not block the sending IP addresses of email marketing companies as the organization will likely receive legitimate emails from these services.
File Hosting
Malicious actors can also host malicious files, typically Microsoft Office Word and Excel documents with malicious macros, on free platforms such as Dropbox, One Drive, and Google Drive, and then send links to download these files in phishing emails. Anyone can register for these services in a matter of minutes, and including a hyperlink in an email to a domain that people recognize is likely to be much more effective than a domain that no one has heard of before. Let’s look at an example below.
Google Drive and Google Docs have security controls in place, so attackers can’t simply upload blatantly malicious scripts or executable files (.exe). Utilizing Google Drive, attackers can upload Microsoft Word or other documents that include malicious macros that will download malicious software to the system. With Google Docs a typical technique is to create a styled document that contains a hyperlink to a malicious page, instead of including it in the original email which can be easily detected by email security controls.
