Threat actors exploiting Microsoft and Google Platforms

Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint elaborates on how threat actors exploit Microsoft and Google platforms to host and send millions of malicious messages.

Organizations worldwide have adopted cloud collaboration tools in record numbers—and attackers have quickly followed. In recent months we have observed an acceleration in threat actors abusing Microsoft and Google’s popular infrastructure to host and send threats across Office 365, Azure, OneDrive, SharePoint, G-Suite, and Firebase storage.

Last year, 59,809,708 malicious messages from Microsoft Office 365 targeted thousands of our customers. And more than 90 million malicious messages were sent or hosted by Google, with 27% sent through Gmail, the world’s most popular email platform. In Q1 2021, we observed seven million malicious messages from Microsoft Office 365 and 45 million malicious messages from Google infrastructure, which far exceed per quarter Google-based attacks in 2020.

The malicious message volume from these trusted cloud services exceeded that of any botnet in 2020, and the trusted reputation of these domains, including outlook.com and sharepoint.com, increases the difficulty of detection for defenders.

This authenticity perception is essential, as email recently regained its status as the top vector for ransomware and threat actors increasingly leverage the supply chain and partner ecosystem to compromise accounts, steal credentials, and siphon funds. We recently released supply chain findings that 98% of nearly 3,000 monitored organizations across the U.S., UK, and Australia, received a threat from a supplier domain over a 7-day window in February 2021.

Given the level of access that can be granted from a single account, over the last year threat actors targeted 95% of organizations with cloud account compromise attempts, and more than half have experienced at least one compromise. Of those compromised, over 30% experienced post-access activity including file manipulation, email forwarding, and OAuth activity. If stolen, threat actors can leverage credentials to log into systems as imposters, move laterally across multiple cloud services and hybrid environments, and send convincing emails cloaked as a real employee, orchestrating potential financial and data loss.

Microsoft and Google Phishing Examples
There is a round-up of recent phishing campaigns that demonstrate how threat actors use both Microsoft and Google when trying to convince users to act. For example, the following credential phishing attempt features a Microsoft SharePoint URL claiming to host a corporate policy and COVID-19 guidelines document. The document contains a link leading to a fake Microsoft authentication page designed to harvest user credentials. This low volume campaign involved approximately 5,000 messages targeting users in transportation, manufacturing, and business services.

An additional example of a recent fake video conferencing credential phishing campaign featured the “.onmicrosoft.com” domain name. The messages contain a URL which leads to a fake webmail authentication page designed to harvest user credentials. This low volume campaign involved approximately 10,000 messages focused on manufacturing, technology, and financial services users.

A March 2021 Gmail-hosted campaign featured a fake employee benefits message and Microsoft Excel attachment targeting manufacturing, technology, and media/entertainment organizations. If macros are enabled, it will install and run The Trick, a trojan that intercepts and logs banking website visits to steal credentials.

In February 2021, we also observed a very low volume Xorist ransomware campaign from a Gmail-hosted email address. It attempts to trick accounting recipients into access password-protected zipped MS Word documents. These documents contain macros which, if enabled, drop the ransomware.

Our research clearly demonstrates that attackers are using both Microsoft and Google infrastructure to disseminate malicious messages and target people as they leverage popular cloud collaboration tools. When coupled with heightened ransomware, supply chain, and cloud account compromise, advanced people-centric email protection must remain a top priority for security leaders.

As a leading cybersecurity vendor with our DNA in email security, we are have a nearly 100% efficacy rate on stopping advanced threats arriving through email and invest over 20% of our annual revenue on innovation, including advanced threat detection and expert threat systems to stop people-centric data breaches. We protect over 50% of the Fortune 1000, billions of email messages, billions of URLs and attachments, tens of millions of cloud accounts and more—trillions of data points across all the digital channels that matter. Please visit https://www.proofpoint.com/us/why-proofpoint/nexus-threat-graph for additional information on Proofpoint’s Nexus Threat Graph.