Full Report
Threat actors are exploiting cloud platforms like Adobe and Dropbox to evade email gateways and steal credentials
Analysis Summary
This summary is based on the provided, limited context, which describes a general trend observed by Cofense Intelligence regarding the abuse of cloud collaboration platforms for phishing. Since the article does not name a specific threat actor or group, that section will reflect the general nature of the observed activity.
# Threat Actor: Unattributed Phishing Actors Utilizing Cloud Collaboration Services
## Attribution & Identity
The activity is attributed to various **unspecified threat actors** identified by Cofense Intelligence as exploiting the inherent trust placed in major cloud collaboration platforms. No specific group name or nation-state linkage is provided in the snippet.
## Activity Summary
Threat actors are conducting numerous **credential phishing campaigns** by leveraging trusted online document platforms to bypass Secure Email Gateways (SEGs). These campaigns rely on the reputation of the legitimate service domains to gain access to recipient inboxes.
* In 2024, these specific online document service phishing attacks accounted for **8.8% of all credential phishing campaigns**.
* **79%** of the observed cases specifically involved attempts at credential theft.
## Tactics, Techniques & Procedures
The core technique revolves around abusing platform functionality to appear legitimate:
* **Abuse of Trust:** Utilizing major platforms (Adobe, DocuSign, Dropbox, Canva, Zoho) whose origins are generally permitted by SEGs.
* **Automated Notifications:** Leveraging the legitimate document-sharing notification features of these platforms to lend credibility to the phishing email.
* **Persistence of Malicious Content:** Malicious documents hosted on platforms like Adobe and Dropbox can remain active for days before takedown requests are processed.
* **Investigation Impediments:** Exploiting features like DocuSign's link expiration mechanisms, which hinder post-attack digital forensics and investigation.
## Targeting
* **Sectors:** Businesses and individuals utilizing standard cloud collaboration tools for document sharing are the implicit targets.
* **Geography:** Not specified, assumed to be global based on the widespread nature of the exploited platforms.
* **Victims:** General user base of the targeted cloud collaboration platforms.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly named; the primary payload is credential harvesting via phishing links.
* **Infrastructure (C2, domains, IPs):** The "infrastructure" primarily consists of the legitimate, trusted domains of the cloud collaboration platforms themselves (e.g., `adobe[.]com`, `docusign[.]com`, `dropbox[.]com`, `canva[.]com`, `zoho[.]com`).
## Implications
This trend demonstrates an evolving reliance by threat actors on **supply chain trust**. Bypassing SEGs via legitimate, high-reputation domains significantly lowers the threshold for successful email delivery, increasing the risk of mass credential harvesting across organizations that frequently use these collaboration tools.
## Mitigations
* **Email Gateway Configuration:** Review and tighten rules for allowing emails originating from heavily abused, legitimate third-party document sharing domains, requiring explicit review if they contain external links.
* **User Education:** Increase user training focused specifically on scrutinizing notifications from DocuSign, Dropbox, and similar services, emphasizing verification of the underlying request, even if the notification appears legitimate.
* **Link Protection:** Implement advanced sandboxing or time-of-click URL protection to inspect links delivered via these cloud file-sharing notifications.
* **Post-Incident Review:** Ensure security teams are aware of features (like DocuSign link expiration) that may degrade forensic visibility and plan accordingly for rapid response timelines.