- Malicious message volume from Microsoft and Google cloud services exceeded that of any botnet in 2020.
- Threat actors targeted 95% of organisations with cloud account compromise attempts in 2020.
Organisations worldwide have adopted cloud collaboration tools in record numbers—and attackers have quickly followed. In recent months we have observed acceleration in threat actors abusing Microsoft and Google’s popular infrastructure to host and send threats across Office 365, Azure, OneDrive, SharePoint, G-Suite and Firebase storage.
Last year, 59,809,708 malicious messages from Microsoft Office 365 targeted thousands of our customers. And more than 90 million malicious messages were sent or hosted by Google, with 27 per cent sent through Gmail, the world’s most popular email platform.
In the first quarter of 2021, we observed seven million malicious messages from Microsoft Office 365 and 45 million malicious messages from Google infrastructure, which far exceed per quarter Google-based attacks in 2020.
The malicious message volume from these trusted cloud services exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders.
This authenticity perception is essential, as email recently regained its status as the top vector for ransomware and threat actors increasingly leverage the supply chain and partner ecosystem to compromise accounts, steal credentials, and siphon funds. We recently released supply chain findings that 98 per cent of nearly 3,000 monitored organizations across the US, UK, and Australia, received a threat from a supplier domain over a seven-day window in February 2021.
Given the level of access that can be granted from a single account, over the last year threat actors targeted 95 per cent of organisations with cloud account compromise attempts, and more than half have experienced at least one compromise. Of those compromised, over 30 per cent experienced post-access activity including file manipulation, email forwarding, and OAuth activity.
If stolen, threat actors can leverage credentials to log into systems as imposters, move laterally across multiple cloud services and hybrid environments, and send convincing emails cloaked as a real employee, orchestrating potential financial and data loss.
Microsoft and Google phishing examples
There is a round-up of recent phishing campaigns that demonstrate how threat actors use Microsoft and Google to convince users to act. For example, the following credential phishing attempt features a Microsoft SharePoint URL claiming to host a corporate policy and Covid-19 guidelines document.
The document contains a link leading to a fake Microsoft authentication page designed to harvest user credentials. This low volume campaign involved approximately 5,000 messages targeting users in transportation, manufacturing, and business services.
An additional example of a recent fake video conferencing credential phishing campaign featured the “.onmicrosoft.com” domain name. The messages contain a URL that leads to a fake webmail authentication page designed to harvest user credentials. This low volume campaign involved approximately 10,000 messages focused on manufacturing, technology, and financial services users.
A March 2021 Gmail-hosted campaign featured a fake employee benefits message and Microsoft Excel attachment targeting manufacturing, technology, and media/entertainment organisations. If macros are enabled, it will install and run The Trick, a trojan that intercepts and logs banking website visits to steal credentials.
In February 2021, we also observed a very low volume Xorist ransomware campaign from a Gmail-hosted email address. It attempts to trick accounting recipients into access password-protected zipped MS Word documents. These documents contain macros which, if enabled, drop the ransomware.
Our research clearly demonstrates that attackers are using both Microsoft and Google infrastructure to disseminate malicious messages and target people as they leverage popular cloud collaboration tools. When coupled with heightened ransomware, supply chain, and cloud account compromise, advanced people-centric email protection must remain a top priority for security leaders.
- Ryan Kalember is the Executive Vice-President of cybersecurity strategy for Proofpoint.