The Cybersecurity Stop of the Month blog series explores the ever-evolving tactics of today’s cybercriminals and how Proofpoint helps organizations better fortify their email defenses to protect people against today’s emerging threats.
Phishing attacks surged significantly in 2024, increasing nearly 60% year-over-year. Experts have noted that not only are these attacks growing in volume but they’re also becoming more sophisticated. Shifts in the threat landscape—driven by advances in generative AI and evolving social engineering tactics—are enabling cybercriminals to conduct more personalized, sophisticated attacks that are increasingly difficult to detect.
Globally, an average of 4 billion phishing emails are sent per day. The increased success of these attacks has contributed to a high financial toll. By the end of the year, projected global costs could potentially reach $250 billion. Sectors like finance and insurance have been hit the hardest—experiencing over 27% of all phishing attacks—while technology, healthcare and education are also major targets.
Today, we’ll explore one type of phishing attack that is particularly hard to identify, which is called Dropbox phishing.
Background
During the past few years, Dropbox phishing scams have grown more sophisticated. Here here’s how they typically work:
Steps in a Dropbox phishing scam.
Phishing attacks that use legitimate Dropbox infrastructure are hard to identify for several reasons, including:
- Abuse of a legitimate service. A bad actor uploads a compromised document—like a PDF with an embedded malicious URL—and sends it directly through Dropbox. Because the threat is sent through a legitimate service, it can effectively bypass an organization’s email security defenses.
- Email pretexting. A malicious phishing email that initiates the attack can be very convincing. Bad actors often include realistic pretexts, such as “You’ve been invited to view a file” or “A file was shared with you,” which closely mirror legitimate Dropbox notifications.
- Trust in the brand. Dropbox is widely trusted and frequently used for file sharing. If users regularly log into Dropbox to access shared files, they are less likely to scrutinize the login prompt, especially if they’re accustomed to receiving Dropbox file-sharing invitations.
This type of attack is very stealthy and highly undetectable. Bad actors can launch and share any type of attack via Dropbox, including ransomware and malware.
The scenario
In this recent attack, a bad actor used legitimate Dropbox infrastructure to send a recipient a link to a malicious document that only they could access. The target organization was a New England-based non-profit, which owns and operates upwards of 12,000 homes and 102 properties across 11 states.
The organization’s incumbent email security was Microsoft 365 E3 plus an add-on API-based tool. Unfortunately, neither tool detected, blocked or remediated this advanced phishing attack, which left the organization vulnerable to a potential cyberattack or data breach.
The threat: How did the attack happen?
Here is a closer look at how the attack unfolded:
1. Legitimate Dropbox message. A bad actor targeted employees with a shared PDF file , which could only be accessed by the recipients. The login message was genuine and was sent by the real Dropbox service.
Legitimate Dropbox message received by the user.
2. Legitimate Dropbox login. To view the shared PDF file, employees needed to click on the “View in Dropbox” button. If they would have clicked on the link, they would have been prompted to login and authenticate into the Dropbox service. Both the login screen and authentication messages were valid as they sent from the real Dropbox service.
Legitimate Dropbox login page for accessing the shared file.
3. Dropbox phishing page. Once authenticated, users would open a shared PDF file with an embedded malicious URL. Clicking on the malicious URL would automatically redirect them to a phishing page. At that point, they would be prompted to login and authenticate again. Unknown to the users, this site is controlled by the bad actor and is used to collect their login credentials.
The detection: How did Proofpoint identify this attack?
These multipronged Dropbox phishing attacks are hard to detect and almost impossible for users to spot. Here’s why:
- Threats come from real senders with legitimate Dropbox accounts that have been compromised.
- Messages come from users that have an existing relationship with the recipient.
- URLs and templates from Dropbox are known, trusted and shared.
- The malicious URL that’s embedded in the shared document is masked behind Dropbox authentication.
Proofpoint has seen numerous Dropbox phishing attacks that have slipped past other email security tools. When Proofpoint detected and stopped this threat, we were doing a risk assessment with this customer, and our tool was deployed behind Microsoft and another API-only post-delivery tool. Notably, other organizations just like this one have reported that their API-only post-delivery tools have struggled to identify and stop these types of attacks.
Unlike the Proofpoint API-based solution, other API-based tools lack threat intelligence and URL sandboxing capabilities. Typically, they only scan for behavioral anomalies and not for malicious content. As a result, they fail to detect these highly evasive attacks that abuse legitimate cloud apps and compromised accounts. This gives security and IT teams a false sense of security that these threats will be identified. Even worse, they often incorrectly classify them as legitimate messages.
Proofpoint combines continuously evolving ML and behavioral AI techniques with threat intelligence and advanced sandboxing analysis to detect these types of sophisticated attacks. In this instance, we used a combination of behavioral signals within our sandbox, analyzed message-level indicators and conducted malicious content analysis. By injecting the following signals into our URL sandbox, we detected and stop this attack:
- Volume of messages shared by the same account
- Analysis of the sender plus the sender’s email address
- Presence of a Dropbox URL
- Advanced detection of abused URL sharing
- Enhanced document detection sent from many different URLs and different senders
- Analysis of message headers for malicious indicators, like reply-to mismatch
- Existence of other malicious messages with similar characteristics
Proofpoint detected and blocked this attack because we analyzed the suspicious email with AI-driven behavioral indicators. And we scanned embedded URLs for malicious content. Ultimately, we provide security and IT teams with a much higher level of confidence in detecting and blocking these types of advanced email threats.
Condemnation summary of signals Proofpoint used to detect the threat.
The remediation: What are the lessons learned?
Here’s what we recommend to help protect against Dropbox phishing attacks:
- Analyze malicious URL content. Look for a solution that goes beyond simple scanning of suspicious messages and goes deeper to analyze malicious URL content. To do this right, it should support static and dynamic content analysis and ML, as well as heuristics algorithms that are trained on data patterns from known malicious and benign URLs.
- Detect threats pre-delivery. According to Proofpoint research, 1 in 7 clicks on unsafe links occur within 60 seconds of an email’s delivery. Look for a solution that holds suspicious messages with URLs for sandbox analysis. It should use behavioral signals and threat intelligence to determine if a message needs to be inspected further. This keeps users safe by blocking malicious messages before they are delivered.
- Keep your people informed. Training programs can help users to identify and respond to advanced phishing attempts. Educated users are less likely to fall for phishing scams. This means that there’s less risk that their credentials—or your business—is compromised. Consider doing regular phishing simulations and providing users with feedback to improve their behavior and awareness.
Proofpoint delivers human-centric protection
The surge in sophisticated phishing attacks is a stark reminder of how dynamic the threat landscape really is. That’s why you need to stay vigilant and take proactive steps to better protect your people and organization.
Proofpoint provides a comprehensive solution that continuously detects and analyzes known and emerging threats throughout the entire email delivery lifecycle. Unlike traditional email security products and API-only point tools, Proofpoint Threat Protection offers an AI-driven solution that detects 99.99% of threats from pre-delivery to post-delivery and at click-time. With Proofpoint, you can achieve end-to-end protection against threats before they reach users’ inboxes so you can better protect your people and business.
To learn more about how you can defend against evolving email threats, read our Threat Protection solution brief.
Read our Cybersecurity Stop of the Month series
To learn more about how Proofpoint stops advanced attacks, check out our previous blogs in this series:
- Uncovering BEC and supply chain attacks (June 2023)
- Defending against EvilProxy phishing and cloud account takeover (July 2023)
- Detecting and analyzing a SocGholish Attack (August 2023)
- Preventing eSignature phishing (September 2023)
- QR code scams and phishing (October 2023)
- Telephone-oriented attack delivery sequence (November 2023)
- Using behavioral AI to squash payroll diversion (December 2023)
- Multifactor authentication manipulation (January 2024)
- Preventing supply chain compromise (February 2024)
- Detecting multilayered malicious QR code attacks (March 2024)
- Defeating malicious application creation attacks (April 2024)
- Stopping supply chain impersonation attacks (May 2024)
- CEO impersonation attacks (June 2024)
- DarkGate malware (July 2024)
- Credential Phishing Attack Targeting User Location Data (August 2024)
- Preventing Vendor Impersonation Scams (September 2024)
- SocGholish Haunts the Healthcare Industry (October 2024)
- Preventing Email Compromise in the Public Sector (November 2024)