threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/adobe-cloud-steal-office-365-gmail-credentials/177625/
Submission: On January 14 via manual from US — Scanned from DE
Submission: On January 14 via manual from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /adobe-cloud-steal-office-365-gmail-credentials/177625/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/adobe-cloud-steal-office-365-gmail-credentials/177625/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Phone</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177625" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="5ea7491a1c"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="261QHjWQjdhbIStENne6u0oiI" name="HwuP2IrUx5EARzl3o9cq3B4vv">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1642173679564">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Phone
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Widespread, Easily Exploitable Windows RDP Bug Opens Users to Data
TheftPrevious article
* New GootLoader Campaign Targets Accounting, Law FirmsNext article
ADOBE CLOUD ABUSED TO STEAL OFFICE 365, GMAIL CREDENTIALS
Author: Elizabeth Montalbano
January 13, 2022 9:00 am
2:30 minute read
Write a comment
Share this article:
*
*
Threat actors are creating accounts within the Adobe Cloud suite and sending
images and PDFs that appear legitimate to target Office 365 and Gmail users,
researchers from Avanan discovered.
Attackers are leveraging Adobe Creative Cloud to target Office 365 users with
malicious links that appear to be coming legitimately from Cloud users but
instead direct victims to a link that steals their credentials, researchers have
discovered.
Researchers from Avanan, a Check Point company, first discovered the ongoing
campaign in December when they stopped one of the attacks, according to a report
published Thursday.
Adobe Creative Cloud is a popular suite of apps for file-sharing and creating
and includes widely used apps such as Photoshop and Acrobat.
Though attackers are primarily targeting Office 365 users – a favorite target
among threat actors – researchers have seen them hit Gmail inboxes as well,
Jeremy Fuchs, cybersecurity research analyst at Avanan, told Threatpost.
The attack vector works like this: An attacker creates a free account in Adobe
Cloud, then creates an image or a PDF file that has a link embedded within it,
which they share by email to an Office 365 or Gmail user.
“Think of it like when you create a Docusign,” Fuchs explained to Threatpost.
“You create the document and then send it to the intended recipient. On the
receiving end, they get an email notification, where they click to be directed
to the link.”
Though the links inside the documents sent to users are malicious, they
themselves are not hosted within Adobe Cloud but, rather, from another domain
controlled by attackers, he added.
HOW THE CAMPAIGN WORKS
Researchers shared screenshots of the attack they observed in the report. One
shows attackers sending what looks like a legitimate PDF called Closing.pdf sent
from Adobe with a button that says “Open” to open the file.
When the user clicks on the link, he or she is redirected to an Adobe Document
Cloud page that includes an “Access Document” button that supposedly leads them
to the Adobe PDF. However, that link actually leads to “a classic”
credential-harvesting page, which is hosted outside the Adobe suite, according
to the report.
Attackers can use this model for sending various legitimate-looking Adobe Cloud
documents or images to unsuspecting users, Fuchs told Threatpost.
DESIGNED TO EVADE DETECTION
Though the second screenshot shared in the report includes text with grammatical
errors that should alert a user that it’s suspicious if they are paying
attention, generally the campaign has been created to evade detection from both
end users and email scanners, researchers said.
For one, the notification comes straight from Adobe, a company that users trust
and which is also on most scanner “Allow Lists,” researchers said. Additionally,
the spoofed email looks just like a traditional email that an end user would
receive from Adobe, they said.
“Though the several hops to get to the final page may cause some red flags from
discerning end-users, it won’t stop all who are eager to receive their
documents, especially when the title of the PDF – in this case ‘Closing’ – can
instill urgency,” researchers wrote in the report.
Researchers at this point don’t know who is behind the campaign, which for now
is sticking to its goal of harvesting credentials, though “that could change,”
Fuchs told Threatpost.
AVOIDING COMPROMISE
Researchers suggested a number of ways security professionals and end users can
avoid falling victim to the campaign. One is to inspect all Adobe cloud pages
for grammar and spelling, and to hover over links to ensure the intended page is
legitimate, they said in the report.
Security pros also should deploy email protection that doesn’t rely on static
Allow Lists but instead use solutions that include dynamic, AI-driven analysis,
researchers advised. Allow Lists can let malicious emails slip through when
attackers use spoofed emails that appear to be from trusted entities.
Finally, Avanan advised that organizations install security solutions that can
open PDF files in a sandbox and inspect all links to detect potentially
malicious intent, according to the report.
Password Reset: On-Demand Event: Fortify 2022 with a password security strategy
built for today’s threats. This Threatpost Security Roundtable, built for
infosec professionals, centers on enterprise credential management, the new
password basics and mitigating post-credential breaches. Join Darren James, with
Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost
host Becky Bracken. Register & Stream this FREE session today – sponsored by
Specops Software.
Write a comment
Share this article:
* Hacks
* Malware
* Web Security
SUGGESTED ARTICLES
RUSSIAN SECURITY TAKES DOWN REVIL RANSOMWARE GANG
The country’s FSB said that it raided gang hideouts; seized currency, cars and
personnel; and neutralized REvil’s infrastructure.
January 14, 2022
THREE PLUGINS WITH SAME BUG PUT 84K WORDPRESS SITES AT RISK
Researchers discovered vulnerabilities that can allow for full site takeover in
login and e-commerce add-ons for the popular website-building platform.
January 14, 2022
MICROSOFT YANKS BUGGY WINDOWS SERVER UPDATES
Since their release on Patch Tuesday, the updates have been breaking Windows,
causing spontaneous boot loops on Windows domain controller servers, breaking
Hyper-V and making ReFS volume systems unavailable.
January 13, 2022
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* HERE’S REALLY HOW TO DO ZERO-TRUST SECURITY
January 11, 2022
1
* WHAT THE RISE IN CYBER-RECON MEANS FOR YOUR SECURITY STRATEGY
December 30, 2021
* THREAT ADVISORY: E-COMMERCE BOTS USE DOMAIN REGISTRATION SERVICES FOR MASS
ACCOUNT FRAUD
December 29, 2021
* GLOBAL CYBERATTACKS FROM NATION-STATE ACTORS POSING GREATER THREATS
December 27, 2021
* TIME TO DITCH BIG-BROTHER ACCOUNTS FOR NETWORK SCANNING
December 21, 2021
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
1.8M+ attacks, against half of all corporate networks, are attempting to exploit
#Log4Shell, including with a new r… https://t.co/dDky1faadm
4 weeks ago
Follow @threatpost
NEXT 00:02 01:40 360p 720p HD 1080p HD Auto (360p) About Connatix V145768 Closed
Captions About Connatix V145768 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE