The Datto Threat Research Unit recently analyzed a new phishing technique that our MSP partners should be aware of. While this type of attack has already been out in the wild, it was previously not detected as a phishing attempt. This technique includes two key elements that, together, make it almost impossible for most security solutions to detect: The attack leverages Adobe InDesign hosting reputation and the malicious link is hidden in an iframe. Now confirmed as a phishing attempt, we can report this technique for the first time and hopefully prevent any future attack attempts.

The Attack

Similar to many other phishing attacks aiming to harvest Microsoft users' credentials, this attack is sent via email. The email lures the user to click a link in order to access a shared document, which then leads to a legitimate InDesign webpage hosted on indd.adobe.com. Here are a couple of examples for such pages:

In the screenshots above, the "Open Document" and "View PDF Online" buttons include the link to a phishing site that asks for the victim's Microsoft credentials in order to access the document, which looks like this:

Unlike the first indd.adobe.com page which the attackers can keep online for many days since it doesn't raise suspicion, this URL has to change frequently as it is hosted in a less reputable domain and can be identified as a phishing webpage.

The Attackers' Technique

To evade email security solutions, the attackers took advantage of the legitimate Adobe InDesign platform:

  1. The indd.adobe.com domain is a trusted public domain. Many reputation-based security solutions would not scan URLs driving to this domain or would scan it and conclude that it's safe, because the indd.adobe.com URL is legitimate, doesn't indicate anything suspicious, and doesn't ask for credentials. Hosting phishing webpages in trusted public domains like GoogleDrive, SharePoint, OneDrive and Dropbox is a known trick. However, this is the first time this is done leveraging the InDesign domain.
  2. The webpage is designed using InDesign which has some specific characteristics that were leveraged by the bad actors in order to evade security solutions. The most important feature is the fact that links are hidden in iframes instead of being tagged as links. Most phishing detection engines are built to scan URLs in html (where URLs are tagged as links), and therefore do not identify the links in these malicious InDesign webpages.
  3. Another advantage of using the InDesign platform is its various design capabilities for social engineering, helping the attackers to make it look as they wish (as real as possible) and fool victims.
  4. On top of that, the attackers didn't include the malicious URL (the ones asking for user credentials) in the email itself, but rather used the indd.adobe.com page as an intermediate URL that looks safe to email security solutions.
How to Get Protected

Phishing scams constantly become more sophisticated and use increasingly advanced evasion techniques. In this case, the attackers leveraged the InDesign platform threefold - as a trusted host, as a design platform, and in order to hide the actual malicious URL from scanners. The combination of these tactics is what makes it different from other attacks and what allows it to evade many email security solutions.

Unfortunately, this makes the lives of both the organizations aiming to protect their employees and assets, and the security vendors that help them do so, much more difficult. In order to protect from such threats, as well as other emerging phishing techniques, organizations need to make sure they use advanced threat protection on top of their basic email security - a security solution that can protect from any phishing attack and technique, even the ones that are not yet known or commonly used.

This is where Datto SaaS Defense can help. SaaS Defense - Datto's advanced threat protection for the Microsoft 365 suite - protects against phishing, ransomware, and other types of malware. SaaS Defense's unique data-independent technology detects unknown phishing threats at first encounter regardless of past attacks or the domain reputation. It does not rely on third-party software, signatures, or malware reports.

While most security solutions need a lot of care and feeding to operate efficiently, SaaS Defense works differently. Other solutions need to first see the threat out in the wild to understand how it operates before the solution can adapt to stop it, SaaS Defense takes a different approach by looking through each application in Microsoft 365. How is that application supposed to operate? What is the definition of good and safe code paths? To treat those conditions as the known good state. If we ever see anything operating outside of that state - whether it be a potentially malicious link, or any other code execution outside of the norm. We identify that threat and block it to prevent it from getting to the end user. The result? It works to protect you, our partners, whether it is known or unknown and you don't need to do all of the care, feeding, and management that you need to do with traditional solutions.

To see the SaaS Defense solution in action and to learn how it can help you protect your clients' from the most sophisticated and malicious cyber threats, please set up a demo with one of our representatives.

Attachments

  • Original Link
  • Original Document
  • Permalink

Disclaimer

Datto Holding Corp. published this content on 27 January 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 27 January 2022 16:37:15 UTC.