Rewterz Threat Alert – Phishing Attacks Leverage Popular Document Publishing Sites – Active IOCs

Severity

High

Analysis Summary

Digital Document Publishing (DDP) sites are being attacked and exploited by threat actors for phishing attacks, credential harvesting, and session token theft. Legitimate DDP platforms such as FlipSnack, Issuu, Marq, Publuu, RelayTo, and Simplebooklet are employed to carry out these malicious activities that demonstrate legitimate services exploited by attackers.

Digital Document Publishing Sites (DDP) are online platforms that allow users to upload and share PDF files in a flipbook format, viewed in the browser without downloading the document, and some DDP sites also offer functionalities that allow users other types of interactivity.

Since DDP sites are unlikely to be blocked by web filters as they are legitimate sites with good reputations, hosting phishing lures on these sites improves the chance of a successful phishing attack because it could easily give visitors the impression of being a legitimate site. The threat actor makes multiple accounts by utilizing the option of free trials to publish malicious documents abusing legitimate sites.

Although attackers have previously hosted phishing documents using well-known cloud-based services like Google Drive, OneDrive, Dropbox, SharePoint, DocuSign, and Oneflow, the most recent development is an escalation designed to evade email security controls.

The DDP sites integrated into the attack chain act as a secondary or intermediate stage for phishing emails containing DDP documents embedded with an external link controlled by the adversary, hosted on a legitimate site. Upon clicking the link, the victim is directed to the adversary site straight or through a series of redirects. According to security organizations, the insertion of Cloudflare CAPTCHAs is used for redirections. Finally, the attackers can get credentials or session tokens using a bogus website that imitates the Microsoft 365 login page.

DDP sites can easily bypass the email and web content filtering mechanism, making a blind hole for defenders as it is new for trained users. Therefore, threat actors seeking to evade modern phishing defenses might benefit from these DDPs.

Impact

• Data Theft
• Credential Theft
• Identity Theft

Indicators of Compromise

Domain Name

• secure-docsx.com
• secure-docu.com
• mvnwsenterprise.top
• aerospace-atlas.online
• atlas-aerspace.online
• atlas-aerspace.com

URL

• https://secure-docsx.com/efgh5678
• https://mvnwsenterprise.top/aadcdn.msauth.net/

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities a threat actor may have exploited. Also, prioritize patching known exploited vulnerabilities and zero-days.