Skip to content

Phishing Attacks Abusing File Sharing Sites

Posted by Geraldine Hunt on Mon, Aug 12th, 2019

When attackers use phishing and social engineering attacks, their primary method is to make the attack look like it comes from an official source. Ill-informed users will freely click any link in an email, even if the message looks suspicious. Recent attacks have been taking advantage of users trust on popular sites such as Dropbox, Google Docs, Citrix ShareFile, and Google Drive to name a few. The attack involves OAuth authentication and commonly use messages that verify access to a user’s resource.

How the Phishing Attack Works

It’s not uncommon for users to add plugins to their browsers that ask for access to their personal accounts. For instance, if you authenticate into a service using your Facebook account, Facebook asks for your approval and tells you the resources that the plugin owner wants to access. The plugin might ask for access to email and name, or it might ask to post to your wall. When you give a resource access to post to your wall, you give an anonymous developer the ability to post anything to your personal space.

Most developers use this resource access ability for reasons that benefit the user. Access is granted using a service named OAuth, and users can revoke access to their account at any time. However, most users indiscriminately give access to resources, and this ill-advised grant to access any component of a personal account is how attackers can spread malware, steal credentials, and perpetuate additional phishing attacks.

File sharing sites are the most targeted vectors for attackers because these sites offer users the ability to grant access to view, add, and edit files already stored on the cloud drive. Users are first asked to grant developers access to these resources, but it’s common for users to share anything asked from them even after clicking a link from an unknown user in an email.

After the user grants permissions to the attack to add and view files, the attacker now can view any files on the file-sharing resource and add new ones. These new files usually contain malicious scripts that could add malware to the local machine, steal credentials, or give the attacker the ability to control the user’s remote device. With this attack, deleting the malicious file will not stop the attack, because the attacker has permissions to add the file again.

The only way a user can stop the attack is to revoke access, but by this time it’s usually too late. The attacker can collect file information and add files that the user could download in the future. In addition to persistent cloud drive access, users are unaware of the fact that they can revoke access to a resource in their account settings.


PhishTitan is an advanced phishing protection solution for companies using M365, powered by AI technology. Sign up for our Free Demo to learn more.

Free Demo

How Corporations Can Protect Users Against These Social Engineering Attacks

Although this attack can be anything from a minor annoyance to the disclosure of data for individual users, it can be a critical issue for corporations that use cloud drives to share intellectual property and protect internal documents. With this attack, anything stored on the user’s cloud drive is vulnerable. If users are unable to recognize the attacker’s malicious files, the exploit persists with no alert to the administrator.

Email filters using the latest anti-malware security features is the primary way administrators can block these attacks, getting to the root of the issue – phishing emails. Blocking phishing emails stops users from clicking malicious links, so an administrator does not need to limit file sharing functionality. Instead, the administrator can stop the attack before it ever reaches the user’s inbox.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the latest email security defenses that stop phishing emails based on administrator settings and a set of rules that leverage DNS and public-private key encryption. It incorporates Sender Policy Framework (SPF), which requires a DNS entry from the organization so that recipient email servers can identify if the sender’s IP is authorized to send an email on behalf of the domain owner.

DomainKeys Identified Mail (DKIM) is also incorporated into DMARC rules. DKIM adds a public-key encryption signature that can only be decrypted by the organization’s email server that contains the private key. By adding a signature to the email message, the organization knows that only messages encrypted with its public key are intended for the recipient. Together with SPF, this security framework blocks spoofed messages that might look like they came from a trusted sender.

OAuth attacks are common in the wild, and it only takes one user mistake to give an attacker access to a cloud drive. With DMARC and the right email filters, an organization can stop an attacker from ever reaching a targeted user’s inbox.


Related Articles

Never Miss a Blog Post

Sign-up for email updates...


Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us