Netskope's Threat Research Labs today revealed details about a newly discovered phishing cyber-attack targeting the client bases of a law firm in Denver, Colorado, and across the US.

Using a PDF file decoy hosted in Azure’s Blob Storage service, the attacker sends the file as attachment to its targets. The decoy is linked to an Office 365 phishing page and has a Microsoft-issued domain and SSL certificate.

Because these attachments are often synced automatically to cloud storage services through collaboration settings in a variety of popular software and third-party apps in a number of enterprises, the campaign is very difficult to detect.

Traditionally, the PDF is delivered as an email attachment that appears to come from a legitimate source. It’s not uncommon for these attachments to be saved to a cloud storage service, such as Google Drive. Nor is it uncommon that a user would share the document. The PDF discovered is named “Scanned Document…Please Review.pdf” and appears as though it is actually coming from the Denver-based law firm. When users click the hyperlink to download the PDF, a pop-up message alerts the user that the document is attempting to connect to an Azure blob storage URL, which leads to the phishing web page.

“At face value, seeing a Microsoft domain and a Microsoft-issued SSL certificate, on a site asking for Office 365 credentials is pretty strong evidence that the site is legitimate, and are likely enough to convince a user to enter their credentials. Upon clicking continue, the victim's credentials are uploaded to https://searchurl[.]bid/livelogins2017/finish40.php,” Netskope wrote in today’s blog post.

Classified as a more complex variant of Netskope's "CloudPhishing Fan-out Effect" discovery last year, the PDF decoy instantly uploads the victim’s user credentials once accidentally downloaded, and the process repeats itself as the file continues to be inadvertently shared throughout the organization.

Researchers reported the sites they discovered on September 17, 2018. Netskope recommends that users always check the domain of the link and be aware of the domains typically used at login, particularly with sensitive services. Organizations should also keep systems and antivirus updated with the latest releases and patches.