File-sharing phishing: What is it and how does it work?

For years, phishing has been a cyberattack technique that threat actors have commonly relied upon to advance their motives. Along with the evolution of these attacks, the security offered by email providers and email security solutions has also evolved. Phishing attacks have become easier to detect than before, and recipients have gotten better at spotting the signs of these attacks. 

This improvement in security features and awareness among users has led to threat actors getting more sophisticated with their attacks. Attackers are finding innovative ways to dodge security filters and avoid detection by systems. They're crafting unique attacks that exploit vulnerabilities, ensuring they're able to attain their motives. 

Among these new types of attacks created by threat actors, there are certain threats that exploit the trust users have in popular file-sharing sites and the personnel in their own organization. These attacks are called file-sharing phishing attacks. In this article, we'll explore what file-sharing phishing is, the attack propagation technique, and the ways in which organizations can protect themselves from these attacks. 

What is file-sharing phishing?

File-sharing phishing refers to a type of phishing attack in which the cybercriminal assumes the identity of someone the email recipient trusts and sends an email containing a link to a document. The document included in the email seems innocuous at first sight, but it actually contains a phishing link or some malicious content that can infest the recipient's computer or the organization's network. 

Attackers succeed with this type of phishing because a company's employees trust emails sent by internal members. They also trust email notifications from popular file-sharing sites, owing to the legitimacy and nature of usage among the company. When they receive an email that doesn't fall under any irregular pattern, they place trust in the sender and the email, and proceed to take the action that's expected from them. 

Stages of a file-sharing phishing attack

1. Reconnaissance and setup
Before threat actors launch their attack, they conduct extensive research to understand the workings of the company, the usual internal communication patterns, and the sender email addresses associated with the type of email they're planning to send. 
For example, if the attack revolves around sending an email with a document titled "Improved Employee Benefits," they research the usual sender of such emails, the month of the year during which such emails are usually sent by the company, and the file-sharing platform commonly used. One they get these details right, they launch the attack. 

2. Attack initiation
In the second stage, they launch the attack by identifying their victims. In this stage, they draft an email that seems convincing and creates a sense of urgency. This ensures that the victims don't have the privilege of time to verify the authenticity of the email. 
They also make sure that the attack is created to evade the security filters of the email provider. The threat actors also manipulate the documents by corrupting them and triggering an auto-recovery feature built into platforms such as Dropbox, OneDrive, Google Drive, Box, or iCloud. This way, the threat actor ensures that there's a nudge for the user to engage with the malicious document. 

3. Taking the bait 
Once the attack is launched, the attacker waits for the email recipient to perform the intended action. Because the email content sounds urgent, the employee usually falls for the bait quickly. 
Depending on the nature of the attack, clicking on the associated link could open an authentication window that's formatted to mimic the authentication popup of Microsoft, Google, or whichever platform the attacker is imitating. Once the recipient performs the required authentication, the attacker has access to their credentials. In certain cases, clicking on the link could also trigger a malicious file download. 

4. Attack propagation and aftermath
Once the attacker gains access to their target's credentials, they may use it for their own benefit by assuming their identity and carrying out conversations with the victim's contacts. They may request sensitive information or bank transfers, depending on their motives. 
If a file download is triggered, the file could be malicious in nature and corrupt the existing data on the user's system or even lock them out of the system entirely. In some cases, the file download may appear innocuous and silently monitor the actions performed on the system. The company's sensitive data may be stolen and sold for monetary benefit, or the organization may be blackmailed to pay a ransom to release the data. 

Combining these techniques of psychological manipulation and technical tactics, the attacker attains their motive.

Why are file-sharing phishing attacks so effective?

There are certain characteristics of these types of phishing attacks that make them trustworthy and effective for cybercriminals. 

Sense of familiarity: People are used to getting file-sharing links in the business and personal contexts, making them less suspicious.

Brand reputation: The presence of logos and branding from services like Google, Microsoft, or Dropbox lowers users' defenses.

Bypasses traditional filters: Because the email itself often doesn’t contain a virus or an obviously malicious link, it can slip past spam and malware filters.

Pressure and urgency: Messages often create a sense of urgency or sometimes even excitement, making people act before thinking.

Protection tips for organizations

File-sharing phishing attacks have a few indicators that can be spotted. Making sure your organization's users are familiar with these indicators, along with a few other protection measures, can keep your company safe. 

Verify the source

File-sharing phishing attacks most commonly mimic an internal email address. This way, they can get the recipient to open the attachment without suspicion. Threat actors are skilled at imitating popular file-sharing sites, which makes recipients fall prey to their tactics. Whenever there's suspicion with an email containing a document, verify the email sender's address and the username associated with it. Double check the domain name to ensure that it's authentic.

Beware of unsolicited documents

In most cases, these attacks tend to either scare or excite the user into performing an action. For example, it could be an attachment named "Employee Increment" or "Immediate Invoice Processing Needed." If you're receiving an invoice without expecting it or you haven't made any recent purchases, proceed with caution. Similarly, with internal emails, such as employee benefits, you'd have a general idea about whether there's talk of such perks within the company. Engage with the email based on the context that's set amongst your peers.

Refrain from engaging with corrupted documents

Certain threat actors use the auto-recovery feature built into word processors and other file-sharing sites to propagate their attacks. If an attachment displays an error that it's unreadable or corrupted, it could be a sign of tampering or some malicious content. In such cases, verify the authenticity of the document and the sender internally, and then engage with the document. 

Look for unusual extensions

In some of these attacks, clicking on the associated document link can lead to a file download. It's important to be extra cautious in such cases because the attack propagation can happen even before the victim realizes what's happening. These attachments are mostly sent in unusual file formats, such as .exe, .zip, or .bin. If an attachment with such an extension is present, refrain from downloading or clicking on them.

Stay away from scanning QR codes

There's little reason for QR codes to be embedded in emails. It's easier to simply provide the URL that's associated. Unless there's a very specific case, QR codes in emails can be dangerous because scanning them on your personal device takes you out of your organization's secure digital environment. Even when there's a link present, hover over the link to check the redirection before clicking on it. 

Double-check the redirected pages

If clicking on a document link in an email takes you to an authentication page, check the link it redirects you to. The page might be an imitation of the original platform created by the hacker. These days, with the availability of AI tools, it's easy to create authentic-looking pages that extract sensitive information such as account credentials or gain access to sensitive account actions. With such permissions, attackers can further their attack easily.

Conduct security awareness trainings

People are the first line of defense. Regular security awareness training helps employees spot red flags and respond appropriately when they encounter suspicious activity. Simulated phishing exercises, learning modules, and real-world examples help users stay alert. The more your employees understand how these attacks work, the less likely they are to fall for them and report anything suspicious.

Deploy an email security solution

While all of these measures can help to an extent, the most efficient way to keep file-sharing phishing and other cyber threats at bay is to deploy a robust email security solution. Email security solutions complement the security measures that are already offered by your email provider and add a layer of security. They spot the emails that seem suspicious and keep businesses safe from cybercriminals, data loss, and financial loss.

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.