14 DAY TRIAL // In the first quarter of 2021, cybercriminals sent 52 million malicious messages using storage services such as Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase.
During the pandemic, cybercriminals have been capitalizing on the rapid transition to cloud-based business services by concealing their email phishing scams behind ubiquitous, trusted services from Microsoft and Google.
Proofpoint security researchers discovered 7 million malicious emails sent from Microsoft 365 and a staggering 45 million sent from Google's infrastructure in the first three months of 2021 alone. In addition to that, they said that cybercriminals used Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase storage in order to send phishing emails and host attacks.
The report says, “The malicious message volume from these trusted cloud services exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders”.
95% of organizations were targeted for cloud phishing
Since a single account breach could potentially provide widespread access, ProofPoint estimated that 95% of organizations were targeted for cloud account compromise, and more than half of those were successful. Furthermore, more than 30% of the organizations that were compromised “experienced post-access activity including file manipulation, email forwarding and OAuth activity”.
Once attackers have credentials, they can quickly switch in and out of a variety of services to send more persuasive phishing emails.
Proofpoint offered many examples of campaigns that tried to trick users into giving up their details or delivering malware while hiding behind Microsoft and Google.
According to the Proofpoint team, one message included a Microsoft SharePoint URL that purported to lead the recipient to a document detailing COVID-19 guidelines. This malicious message was sent to 5,000 recipients in the transportation, manufacturing, and business services industries.
Another recent fraudulent video conferencing credential phishing campaign used the .onmicrosoft.com domain name. The messages include a URL that redirects to a fake webmail authentication page designed to steal user credentials. This low-volume campaign consisted of approximately 10,000 messages aimed at consumers of manufacturing, technology, and financial services.
Proofpoint research clearly shows that attackers are using popular cloud communication tools to disseminate malicious messages and target people using both Microsoft and Google infrastructure. When combined with increased ransomware, supply chain, and cloud account breach, advanced people-centric email protection must continue to be a top priority for security leaders.