- Security News
- Cybercrime & Digital Threats
- Threat Actors Abuse Evernote, Other Shared Platforms for Credential Phishing
Insights and analysis by Marshall Chen and Yorkbing Yap
Figure 1. A sample phishing email abusing Evernote
The phishing emails contain a link that leads to a page on Evernote. On that page, users are prompted to click the link to download or preview a document that has apparently been shared using “Secured Microsoft Azure for OneDrive Cloud.”
Figure 2. The prompt to download or preview the document
After clicking the “Download or Preview Here” link, users are led to a phishing page that masquerades as a Microsoft account login page.
Figure 3. The fake Microsoft login page
After entering their account credentials, users will be informed that an incorrect account or password was entered, prompting them to reenter their credentials.
Figure 4. The prompt to reenter credentials
Based on their email headers, the emails pass Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) verifications. The email sender is possibly hacked, and the compromised account is used to send phishing emails.
Figure 5. Email header analysis indicating SPF and DMARC verifications
Researchers identified the sender’s IP address, which they discovered to be an open Remote Desktop Protocol (RDP) port. It uses Windows on a hosting provider and is linked to other senders of the phishing emails. The email subjects also follow a pattern, as seen in these sample subjects:
Researchers also found phishing campaigns exploiting the image editing site Canva, the infographic and chart maker Infogram, and the brand template platform Lucidpress. The emails in these campaigns involve the team collaboration software Microsoft SharePoint.
Figure 6. A phishing campaign related to Canva
Figure 7. A phishing campaign related to Infogram
Figure 8. A phishing campaign related to Lucidpress
Third-party sources earlier reported similar attacks that abused Microsoft SharePoint and Microsoft Sway.
More and more threat actors are abusing legitimate sharing services to conduct credential-phishing campaigns. Enterprises should arm themselves with the best practices in mitigating such attacks. Below are some of the ways employees can avoid being victimized by phishing attacks:
Security solutions for email and collaboration can also boost protection against phishing.
Evernote
URL
Phishing Site:
IP Address
Canva
URL
Phishing Site
Infogram
URL
Phishing site
Lucidpress
URL
Phishing Site
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.