12 March 2024

Threat actors abuse Dropbox in phishing attacks


Threat actors abuse Dropbox in phishing attacks

Darktrace researchers detailed a sophisticated phishing attack utilizing the widely used cloud-based storage platform Dropbox.

The attack, discovered in January, targeted one of the company’s customers through seemingly innocuous emails originating from a legitimate Dropbox address 'no-reply@dropbox[.]com.” This email contained a malicious link to a PDF file hosted on Dropbox. However, what caught the attention of cybersecurity experts was the presence of a previously unseen domain, 'mmv-security[.]top,' within the PDF file.

Digging deeper, the researchers discovered that 'mmv-security[.]top' was a newly created endpoint associated with phishing activities reported by multiple security vendors.

Despite being moved to the junk folder and subjected to security measures, an employee within the targeted organization opened the email and followed the link to the PDF file, which led to a connection to the malicious 'mmv-security[.]top' endpoint, compromising the employee's device. Further investigation into this suspicious domain revealed that it led to a fake Microsoft 365 login page, designed to harvest the credentials of legitimate SaaS account holders.

Subsequent observations uncovered a series of suspicious activities, including unauthorized SaaS logins, the use of VPN services to conceal locations, and the creation of email rules to hide malicious activities within compromised Outlook accounts.

“As organizations across the world continue to adopt third-party solutions like Dropbox into their day-to-day business operations, threat actors will, in turn, continue to seek ways to exploit these and add them to their arsenal. As illustrated in this example, it is relatively simple for attackers to abuse these legitimate services for malicious purposes, all while evading detection by endpoint users and security teams alike,” Darktrace said.


Back to the list

Latest Posts

Cyber Security Week in Review: September 6, 2024

Cyber Security Week in Review: September 6, 2024

In brief: the US charges Russian GRU hackers for attacks on Ukraine, Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day, and more.
6 September 2024
Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Threat actors using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Some of the documents appeared to be part of legitimate Red Team exercises, while other were intended for malicious purposes.
5 September 2024
US seizes 32 domains linked to Russian Doppelganger influence campaign

US seizes 32 domains linked to Russian Doppelganger influence campaign

The domains, used to disseminate propaganda, were seized as part of a broader effort to disrupt Russia’s attempts to interfere in the 2024 US Presidential Election.
5 September 2024