blog.talosintelligence.com Open in urlscan Pro
2606:4700::6812:c73a Public Scan

Back to summary

URL:
https://blog.talosintelligence.com/threat-actors-leveraging-document-publishing-sites/
Submission: On March 20 via api (March 20th 2024, 1:26:03 pm UTC) from DE — Scanned from DE

Form analysis
0 forms found in the DOM

Text Content

CISCO TALOS BLOG

*
Intelligence Center

* INTELLIGENCE CENTER

* BACK
* Intelligence Search
* Email & Spam Trends

*
Vulnerability Research

* VULNERABILITY INFORMATION

* BACK
* Vulnerability Reports
* Microsoft Advisories

*
Incident Response
*
Blog
*
Support

More
*
Security Resources

SECURITY RESOURCES

* BACK

Security Resources
* Open Source Security Tools
* Intelligence Categories Reference
* Secure Endpoint Naming Reference

*
Media

MEDIA

* BACK

Media
* Talos Intelligence Blog
* Threat Source Newsletter
* Beers with Talos Podcast
* Talos Takes Podcast
* Talos Videos

*
Company

COMPANY

* BACK

Company
* About Talos
* Careers

THREAT ACTORS LEVERAGE DOCUMENT PUBLISHING SITES FOR ONGOING CREDENTIAL AND
SESSION TOKEN THEFT

By Craig Jackson

Wednesday, March 13, 2024 08:00
Threats On The Radar
* Cisco Talos Incident Response (Talos IR) has observed the ongoing use of
legitimate digital document publishing (DDP) sites for phishing, credential
theft and session token theft during recent incident response and threat
intelligence engagements.
* Hosting phishing lures on DDP sites increases the likelihood of a successful
phishing attack, since these sites often have a favorable reputation, are
unlikely to appear on web filter blocklists, and may instill a false sense of
security in users who recognize them as familiar or legitimate.
* DDP sites allow adversaries to quickly deploy and decommission malicious
documents on a single platform. Talos IR also observed an adversary move
between DDP sites within a short period.

Talos IR has responded to several recent incidents in which threat actors used
legitimate digital document publishing sites such as Publuu and Marq to host
phishing documents as part of ongoing credential and session harvesting attacks.
Threat actors have used a similar tactic of deploying phishing lures on
well-known cloud storage and contract management sites such as Google Drive,
OneDrive, SharePoint, DocuSign and Oneflow. However, DDP sites could represent a
blind spot for defenders, because they are unfamiliar to trained users and
unlikely to be flagged by email and web content filtering controls. Recent
malicious activity observed across these platforms underscores the need for
security teams to ensure that phishing protections and user awareness training
programs consider these and similar sites.

BACKGROUND AND OBSERVATIONS

“Digital Document Publishing sites” refers to websites that allow users to
upload and share PDF files in a browser-based flipbook format. Visitors can view
an entire PDF by flipping from page to page without downloading the document,
and some DDP sites offer features that allow other types of interaction with the
document. Examples of DDP sites include Publuu, Marq, FlipSnack, Issuu,
FlippingBook, RelayTo and SimpleBooklet.

The sites discussed in this blog are not malicious. Rather, they are being
abused by threat actors.

DELIVERY MECHANISM

Threat actors integrate DDP sites as a secondary or intermediate stage of the
attack chain, which follows tried-and-true phishing methods.

* The victim receives an email containing a link to a document hosted on a
legitimate DDP site. The email’s subject and/or body often includes the
phrase “New Document from [sender organization],” and leaves the “To” header
blank. Instead, the actors load the target list into the “BCC” field.
* The DDP-hosted document includes a link to an external, adversary-controlled
site.
* When clicked, the link either moves the victim directly to the
adversary-controlled site, or through a series of redirects. Talos IR also
observed the inclusion of Cloudflare CAPTCHAs as part of some redirects, an
adversary technique reported by Cofense, Netskope and other security teams
over the past six months.
* The victim arrives at the adversary-controlled site, which mimics a
legitimate authentication page and is designed to capture user credentials or
session tokens during authentication.

Attacks leveraging DDP sites for credential and session token theft often take
place through unauthorized access to another legitimate email inbox. In a sort
of “cascading” business email compromise (BEC) process, the threat actor creates
infrastructure and phishing lures to target a specific victim, then leverages
that victim’s established connections to conduct follow-on attacks against other
organizations. A portion of the infrastructure created for the original target
may be reused, while other portions are recreated to increase the likelihood of
success during the subsequent attacks.

LURE CUSTOMIZATION

DDP sites offer custom capabilities that lend credence to a phishing attack. Not
only can the threat actor customize the uploaded phishing document, the web page
hosting that document can also be modified. Page customization options include
changing the background, banner, border or HTML Title tag. These quick
configurations create more convincing lures and are likely to garner a higher
click-through rate to the credential harvesting page.

DDP-hosted lure customization observed during investigation ranged from pages
listing the organization name only in the HTML Title tag, to a highly customized
lure and landing page combination targeting users of a Canadian telecom
provider. In the latter case, the final credential harvesting page was a near
replica of the provider’s legitimate user login page, though it was hosted on an
unrelated webwave[.]dev subdomain.

HISTORICAL TRENDS

Expanding the scope of the investigation to include historical data reveals a
possible trend where threat actors migrate between DDP sites or rapidly activate
and deactivate similar campaigns on the same site over time. For example, Talos
IR observed a cluster of activity on SimpleBooklet from late October to early
November 2020, and another on RelayTo in early September 2023. More recently, an
adversary was observed operating the same credential-harvesting attack, first on
Publuu, then later Issuu.

ADVERSARY ADVANTAGES CREATE CHALLENGES FOR DEFENDERS

DDP sites create advantages for threat actors seeking to thwart contemporary
phishing protections. The same features and benefits that attract legitimate
users to these sites can be abused by threat actors to increase the efficacy of
a phishing attack. Given some of these advantages, threat actors may find DDP
sites as useful as creating spoofed domains or compromising legitimate sites for
phishing and credential theft.

DDP SITES OFFER LOW-COST, TRANSIENT FILE HOSTING

Many DDP sites offer either a free tier or a no-cost trial period where a
defined number of files can be published for a limited time. No-cost trial
periods usually require only limited personal identifiers and no payment
methods. Threat actors can quickly and easily create multiple free accounts,
with a varying number of malicious pages per account.

Some DDP sites also allow a link expiration to be set for published content.
This feature creates a “set it and forget it” capability for threat actors, who
are no longer required to closely track where phishing documents have been
deployed so they can be decommissioned. Instead, a link expiration date and time
is configured during page creation, ensuring the content will be rendered
unavailable automatically, usually after only a short time.

Talos IR observed instances where an adversary launched, then disabled a DDP
page in fewer than 24 hours, and others where the DDP page was left active but
the final landing page on the adversary-controlled domain was removed through
DNS fast fluxing or another mechanism.

This transient nature of DDP pages creates challenges for security teams and
complicates the incident response process. While it’s possible to detect, create
internal alerts for, and/or notify security personnel about a DDP-hosted lure,
the brief availability of the pages creates a compressed response time for
defenders. Understanding the theme of the lure, the associated
adversary-controlled domains, and the intent of the attack in such a short time
may be difficult, even for experienced security teams.

DDP SITES USUALLY HAVE A FAVORABLE WEB REPUTATION.

The ratio of legitimate to compromised pages hosted on DDP sites is likely quite
low. While that ratio seemed to vary by DDP provider, Talos IR found that most
pages created recently across all DDP sites hosted legitimate content. Unless
this trend continues to shift toward hosting greater volumes of malicious
content, these sites will maintain a favorable reputation score and are less
likely to be included in automated blocklists.

A favorable web reputation score may also mislead users who investigate the DDP
site using popular open-source intelligence tools or a basic internet search,
leading to higher click and credential capture rates than sites with an unknown
or poor reputation.

Site

Domain Registration

Umbrella Unique Visitors Score*

Umbrella Reputation Score**

Publuu

2019-02-28 (IS)

53 (Medium Risk)

Marq

2004-06-19 (IS)

9 (Low Risk)

FlipSnack

2010-06-03 (US)

11 (Low Risk)

Issuu

2007-04-19 (GB)

100

9 (Low Risk)

RelayTo

2013-12-02 (US)

58 (Medium Risk)

* Umbrella’s Unique Visitors Score is included to illustrate estimated traffic
volume per site as of Feb. 2, 2024.

** Reputation Score as of Feb. 2, 2024.

DDP PRODUCTIVITY FEATURES MAY INHIBIT MALICIOUS LINK DETECTION.

Talos IR found that productivity features on at least one DDP site inhibited
traditional methods of extracting the true URL from a phishing link. During the
investigation of a malicious document hosted on Publuu, a custom sub-menu was
displayed when the user right-clicked on the URL. While this sub-menu included
options that would benefit legitimate users, it did not provide a clear option
to copy the URL behind the “View Online PDF” hyperlink. Further, no tooltip
popups appeared to show the URL when hovering over the link.

CASE STUDIES

Two recent Talos IR engagements involved the use of a DDP site as part of
potential credential and session token-harvesting attacks.

PUBLUU

Several individuals at the targeted organization received phishing emails from a
compromised email address belonging to a trusted third-party vendor with the
subject, “New Document from [third-party vendor]”.

The link included in the body of the email led to a Publuu flipbook, with a URL
like https://publuu[.]com/flip-book/[6_digit_identifier]/[6_digit_identifier].
The phishing document was a generic, widely used file observed in similar
attacks on other DDP sites. However, while the phishing document was reused, the
adversary had modified the Publuu page with the sender organization’s name to
lend authenticity to the document.

Clicking the “VIEW ONLINE PDF” link directed the user to a Cloudflare CAPTCHA, a
technique described in the publications by Cofense and Netskope linked above.
Use of the CAPTCHA likely has a dual purpose, as it both protects the credential
harvesting page from automated access while giving the impression of a
legitimate site to users who fall victim to the phishing link.

After completing the CAPTCHA, the victim is directed to a convincing replica of
a Microsoft 365 authentication page. The URL for the page contains a lengthy
alphanumeric string, which may act as an identifier for the visitor. The
adversary-controlled domain associated with the authentication page was
atlas-aerspace[.]onlineextracted. The customization of the original Publuu page
to the target organization in contrast to this unrelated spoofed domain suggests
this incident may have been part of a cascading BEC attack.

Talos IR later identified an attack chain hosted on the Issuu DDP site with
similar indicators. The phishing document was nearly identical, though, unlike
the Publuu link, this link URL leveraged the Google AMP to Cloudflare CAPTCHA
flow described in the Cofense blog. The credential harvest page was ultimately
located at the domain aerospace-atlas[.]online and included the same
identifier-style URL string as the one observed with the
atlas-aerspace[.]online90 days domain.

In aggregate, the following similar domains – all hosted by Cloudflare – were
registered within 90 days. The first two domains were found to be associated
with phishing lures hosted on DDP sites, suggesting an effort to target users of
the legitimate atlas-aerospace[.]com domain.

* aerospace-atlas[.]online (registered Jan. 24, 2024)
* atlas-aerspace[.]online (registered Dec. 19, 2023)
* atlas-aerspace[.]com (registered Oct. 25, 2023)

Talos provided notification through established channels so affected
organizations could review and address this activity.

MARQ

Talos IR also responded to an incident involving the Marq DDP site. The Marq
page hosting the phishing document had already been deactivated, but Talos IR
used other forensic data to determine the URL of the associated credential
harvesting page. The first part of that URL was
https[:]//mvnwsenterprise[.]top:443/aadcdn.msauth.net/.

While the Marq page could not be accessed, Talos IR identified similar pages
through open- and closed-source intelligence. These pages were customized to
show the sender organization in the HTML Title tag (displayed in the browser
tab) but otherwise used an identical “Microsoft365 Online Fax” lure. Unlike some
activity clusters on other DDP sites, each page was configured with a unique URL
using the .top top-level domain, such as onedrivesmncs[.]top,
onedrivemwsamc[.]top, and 347nsm239mws934[.]top. Another common characteristic
was the presence of the URL query string tkmilric in all URLs embedded in the
phishing document.

Once clicked, the link passed the user to the spoofed Microsoft authentication
page, which resided at the redirect.cgi path of the unique `.top` domain. The
URL query string for this page included a “ref” parameter, which contained a
Base64 and URL encoded value. An example of the decoded value is:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https://outlook.office.com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code
id_token&scope=openid&msafed=1&msaredir=1&client-request-id=[REDACTED]&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&nonce=[REDACTED]&state=[REDACTED]

The value 00000002-0000-0ff1-ce00-000000000000 found in the client_id and
resource parameters is the Microsoft Application ID for Office 365 Exchange
Online. The claims string {"id_token":{"xms_cc":{"values":["CP1"]}}} is a
required component for a client application to communicate its capabilities to
Microsoft Entra ID in an OAuth 2.0 authorization flow. These characteristics
likely indicate a campaign to capture session tokens for Microsoft 365
components using the same lure and customized or DGA-generated domains.

OTHER DDP SITES

Following these investigations, Talos IR identified similar activity on other
DDP sites. The following examples are provided to demonstrate similarities
across DDP sites and are not related to any ongoing or prior Talos IR
investigations.

FLIPSNACK

Talos IR identified at least two lure formats used recently on FlipSnack – one
eFax PDF-themed lure, and one SharePoint PDF-themed lure. Both landing pages had
been removed by the adversary at the time of Talos IR’s review, but the URL for
the adversary-controlled page associated with the SharePoint lure
(afurrytailwedding[.]com/cure/MSthOffice/index.phpexcept) could indicate a
potential Microsoft 365 credential harvesting effort. Neither lure had been
customized to target a specific victim.

ISSUU

Malicious documents found on Issuu were very similar to those observed on
Publuu, except for minor details like a “Reference” number and the link URL. Of
the two links tested by Talos IR, one was redirected through an intermediary
site before reaching the landing page. The other leveraged the Google AMP and
Cloudflare CAPTCHA flow reported by Cofense. Again, the landing pages for both
examples had been removed by the adversary at the time of Talos IR’s review.

RELAYTO

Talos IR located at least two different phishing lures that had been deployed to
the RelayTo site in early September 2023. One of these lures was published
repeatedly from multiple RelayTo accounts with modifications to only the name of
the associated organization. The link in each lure –
https[:]//secure-docsx[.]com/efgh5678 – was the same. The
secure-docsx[.]combefore the domain had been registered a week this activity
began and was followed by the creation of the secure-docu[.]com domain, with
which it shared registrant details.

SIMPLEBOOKLET

Talos IR could not locate a malicious page on the SimpleBooklet site that had
not already been deactivated. However, a review of related URLs in VirusTotal
suggests that an adversary made prolific use of this site for phishing and
possible credential theft from October 2020 through January 2021.

DEFENDER ACTIONS

Defenders should consider the following actions to help defend against phishing
attacks that leverage DDP sites.

* Block common DDP sites via border security devices, endpoint detection and
response (EDR) like Cisco Secure Endpoint, web content filtering, and/or DNS
security controls if access to these sites is not required for normal
business operations. If blocking these sites will disrupt normal operations,
develop a procedure to ensure malicious domains identified in DDP-hosted
phishing lures can be quickly blocked.
* Configure email security controls to detect and alert on links in emails
containing common DDP site URLs.
* Leverage threat intelligence to quickly identify newly created sites related
to known threats – in this case, new DDP sites that may be leveraged by
threat actors.
* Monitor for behavioral trends within the organization’s internal environment
that could indicate coordinated malicious activity, including activity to
blocked sites.
* Update user security awareness training to include information about DDP
sites and other cloud-hosted phishing attack methods. Reinforce a “see
something, say something” mentality when users are uncertain about a site’s
legitimacy.

End users can also support defenders by remaining vigilant for documents shared
over unusual or uncommon sites, even if those sites are legitimate and have a
favorable reputation, and by following their organization’s guidelines for
reporting suspicious emails.

SHARE THIS POST

*
*
*
*
*

blog.talosintelligence.com Open in urlscan Pro 2606:4700::6812:c73a Public Scan

Form analysis 0 forms found in the DOM

Text Content

blog.talosintelligence.com Open in urlscan Pro
2606:4700::6812:c73a Public Scan

Form analysis
0 forms found in the DOM