A phishing campaign is using a combination of social engineering and trusted cloud services to steal corporate login credentials for popular file-sharing platforms, Forcepoint X-Labs warns.
The campaign starts from brief, professional-looking phishing emails posing as urgent procurement or business requests. The messages often appear to come from a familiar organization and prompt recipients to open an attached PDF for further details.
According to Forcepoint, the minimal wording helps the emails slip past authentication checks such as SPF, DKIM and DMARC, while the sense of urgency pressures recipients into acting quickly. Inside the PDF, users are instructed to click an embedded link created using AcroForm, a format that limits the ability of security tools to inspect the URL.
The link redirects victims to a trusted cloud storage service, which then presents a convincing fake Dropbox login page.
“Once opened, the PDF did not deliver malware. Instead, it directs the user to a second PDF hosted on a trusted cloud service. This step was critical. By using legitimate cloud infrastructure, the attackers reduce suspicion, bypassing many automated security checks that rely on reputation and known-bad indicators in the process,” the researchers explain.
If victims enter their credentials, the information is sent to a Telegram channel controlled by the attackers. With valid login details, threat actors can take over accounts, gain internal access or use the data for additional follow-on fraud.