Akankasha Dewan 15 October 2020 16:32:40 AEDT 5 MIN READ

Phishing email sent from compromised Outlook account spoofs Dropbox and Adobe


MailGuard has intercepted a phishing email scam spoofing two popular business applications - Dropbox, a file sharing and collaboration platform, and Adobe, a multi-media computer software company. 

The malicious email looks like a legitimate notification from Dropbox, complete with the company’s logo and colour palette. It is actually sent from a compromised Outlook account. Titled “Request – Quote details”, it informs the recipient of the arrival of a new .PDF file that expires in six days. A link is provided to view the file.

Here’s what the email looks like:

Adobe_1510_OG

Clicking on the link to open the file takes users to a login page containing a header titled “Adobe PDF Online”. The page contains Adobe’s logo. However, it doesn’t have the professional polish of an actual Adobe login page, and the domain used in the page’s URL doesn’t belong to Adobe. The page directs users to log into their email to ensure they “are the rightful recipient for the protected file”. Here is what the page looks like:

 

Adobe_1510_2


This is actually a phishing page hosted on a compromised website. Once users log in and submit their credentials, the attacker harvests them for later use, and the user is met with an error saying “InValid Credentials”.

We strongly advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.

As you can see from the screenshots above, cybercriminals have employed multiple elements to trick recipients. Here are some of them:

  • The use of popular brand names like Dropbox & Adobe to inspire false trust; this boosts the email's credibility,
  • Inclusion of high-quality branding elements like Dropbox’s logo & colour palette to make the emails appear authentic, and
  • With false urgency; telling the recipient that a new document has arrived creates a sense of curiosity. The inclusion of the 6-day expiry limit further motivates the recipient to click on the provided link right away, distracting them from checking the sending address of the email and looking out for any other errors.

Despite these techniques, recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that the domains used in the phishing page doesn’t belong to Adobe. 

While common, scams that are initiated from compromised accounts like the one above are particularly dangerous, for a number of reasons:

  • The emails are sent from a legitimate account, so they are not likely to be blocked by email security services,
  • The recipients are more receptive to the emails, especially where the sender is known to them, and
  • Because they may deliver a malicious payload, or simply a .PDF file like in the above example, and may direct users to external phishing pages to harvest credentials.


In such cases, users are reminded of the importance of not accepting/clicking on documents from unknown senders, despite the organisation they purport to be from. All attachments/links should only be accessed when users are certain about the credibility of their owners.

Scams like these have a high likelihood of successfully tricking users, especially in the current climate. With workforces becoming more remote in light of COVID-19, it is common for employees to use cloud file-sharing platforms like Dropbox when sharing confidential business documents with one another. Therefore, notifications like the above aren't likely to raise any alarm bells when they appear in an inbox, motivating users to click on the provided links without a second thought.

The Australian Cyber Security Centre also identified Dropbox as a vector for a cyber-attack that is targeting Australian public and private sector organisations. Prime Minister Scott Morrison revealed in a briefing earlier this year that the cyber-intrusion was conducted by "a sophisticated state-based cyber actor".

We encourage all users to exercise caution when opening messages from Dropbox, and to be extra vigilant against this kind of cyber-attack. If you are not expecting a file from the sender, do not open the email, download files or click through on the links. Check with the sender first, even if they are known to you.

If you’re unsure whether the email you have received is a legitimate notification from Dropbox, forward it to abuse@dropbox.com. The company shares more information about staying protected from fraudulent emails on its support page.

Adobe also offers a comprehensive online resource to help identify fraudulent communication purporting to be from them. You can also report phishing sites by contacting Adobe directly.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates