Darktrace researchers detailed a sophisticated phishing attack utilizing the widely used cloud-based storage platform Dropbox.

The attack, discovered in January, targeted one of the company’s customers through seemingly innocuous emails originating from a legitimate Dropbox address 'no-reply@dropbox[.]com.” This email contained a malicious link to a PDF file hosted on Dropbox. However, what caught the attention of cybersecurity experts was the presence of a previously unseen domain, 'mmv-security[.]top,' within the PDF file.

Digging deeper, the researchers discovered that 'mmv-security[.]top' was a newly created endpoint associated with phishing activities reported by multiple security vendors.

Despite being moved to the junk folder and subjected to security measures, an employee within the targeted organization opened the email and followed the link to the PDF file, which led to a connection to the malicious 'mmv-security[.]top' endpoint, compromising the employee's device. Further investigation into this suspicious domain revealed that it led to a fake Microsoft 365 login page, designed to harvest the credentials of legitimate SaaS account holders.

Subsequent observations uncovered a series of suspicious activities, including unauthorized SaaS logins, the use of VPN services to conceal locations, and the creation of email rules to hide malicious activities within compromised Outlook accounts.

“As organizations across the world continue to adopt third-party solutions like Dropbox into their day-to-day business operations, threat actors will, in turn, continue to seek ways to exploit these and add them to their arsenal. As illustrated in this example, it is relatively simple for attackers to abuse these legitimate services for malicious purposes, all while evading detection by endpoint users and security teams alike,” Darktrace said.