File Hosting Services Used for Identity Phishing

Written By John Fitzpatrick

What is the preferred file hosting service for online criminals?

Last week Microsoft published a piece on some campaigns using legitimate file hosting services in order to facilitate attacks. They specifically mentioned the hosting services SharePoint, OneDrive, and Dropbox. The descriptions they gave related to Adversary in The Middle (AiTM) approaches being used to facilitate these attacks.

Seeing as we have a pretty extensive AiTM dataset, gathered using some “rather unique” methods, we thought we’d dive in and take a look to answer the obvious question we had reading the article… what is the preferred file hosting service for online criminal?

The Contenders

In Microsoft’s blog they mention only Dropbox, Google Drive and OneDrive. We’ve added Sharepoint to the mix because we see a fair amount targeting that too. We could have added others, but it can become a bit cumbersome to do so. Therefore, here are our four contenders:

Dropbox, Google Drive, OneDrive and Sharepoint logos shown side by side

Round 1 - Most Targeted File Hosting Service

In this round we’re searching for quite specific matches in the hostnames of the infrastructure, so exact matches on the text “dropbox”, “sharepoint”, “onedrive”, and for Google Drive we’re looking for both “google” and “drive” in the hostname. Things like “one-drive” or “dr0pb0x” are not included because we couldn’t think of a way to do this sensibly and fairly.

We’ve broken things down as a percentage of the total result, and there is a clear winner, OneDrive, which accounted for 61% of the results:

Dropbox at 9%, Google Drive at 6%, OneDrive at 61% and Sharepoint at 24%

The result is obviously unsurprising, compromise OneDrive/Sharepoint and you’ll likely gain access to a much broader Microsoft ecosystem. When it comes to Dropbox you’re less likely to hit that, and Google environments remain of less interest to adversaries for the simple reason that businesses share Microsoft documents, so sticking with this ecosystem is more likely to achieve results if you are being generic. So no real surprises here, but it’s nice to see the comparison.

Round 2 - Favourite Hosting Provider?

Obviously if I were to impersonate OneDrive I’d host it in Azure, you probably would too, right? Is that the case? I was curious to find out, so created round 2 in order to answer this question. This round is therefore focused on identifying which hosting providers were found to be hosting the OneDrive instances we saw in round 1.

Now this got off to an unsurprising start, we saw Cloudflare take the lead closely followed by Digital Ocean, no surprise there, and then they just stopped playing! It’s almost like they stepped aside and handed the field over to a whole bunch of lesser known hosting providers in order for them to have their moment of glory… There was one provider that absolutely stepped up the table leaving everyone else in their dust, and that was Cloudzy (formerly RouterHosting), who ended up with a score almost matching the combined score of the rest of the competition combined!


If I’m honest, this was a little unexpected. Previously we took a look at our data for the last six months and only two of the providers that made our top 5 back then even turned up for this round. They were Digital Ocean and Microsoft, and this time Microsoft only featured 2% of the time. Where as Cloudzy featured 43% of the time. Yeah, in the round where we had expected to see Microsoft/Azure at least put in a fight, they barely even bothered to participate.

This was interesting and unexpected. So we hit Google to find out more about Cloudzy, which led us to this piece by the team at Halcyon.

Halcyon identified one in particular that stood out: Cloudzy. It was observed that the ISP was providing services to APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates
— https://www.halcyon.ai/blog/update-cloudzy-command-and-control-provider-report

Interesting…


In fact the Halcyon work suggested that 40-60% of all Cloudzy infrastructure is malicious in nature. That’s a massive proportion.

It seems that, in all likelihood, we are seeing data that tells us a particular threat actor, such as those described by Halcyon above, is sat behind a lot of these campaigns. So, what we can say is that the most prominent threat actor we see utilising file delivery via OneDrive as a means to perform AiTM attacks uses Cloudzy (and also likes Hostinger for their domain registration).

The surprise in this for me is the lack of Microsoft infrastructure being leveraged, but I guess in reality that does make sense, you probably don’t want to be attacking Microsoft customers from infrastructure that Microsoft have a home advantage in tracking you down and seizing your tooling.

Round3 - Who Got There First?

Because of the way we detect infrastructure we almost always identify it before it is used in malicious campaigns, which makes this question a bit trickier because when the infrastructure is stood up does not necessarily correlate with when it is used. Nevertheless, we thought we’d give it a stab and see what trends we could pull. There are no real winners or losers in this round, it’s more a few observations we thought we’d share relating specifically to the OneDrive AiTM related infrastructure that we track:

  • The vast majority of this has been picked up in 2024, granted our coverage increased substantially this year, but in 2023 and before there is comparatively little

  • The 12th and 13th August 2024 (Mon+Tue), as well as the 7th and 10th October 2024 (Mon+Thurs) were some of the busiest days for this activity (interestingly Microsoft posted their article on 8th Oct.)

  • Working hours is less concrete, we observed active activity at all times of the day

Round4 - Favourite TLD

Our final round is simply to identify which Top Level Domain (TLD) is most preferred for this activity.

This turned out to be a very easy win for .com. There were a mix of different TLDs used, .org put in a good fight, as did .us and we saw a bunch of Norwegian activity on a particular domain which gave the .no TLD representation. Nevertheless .com absolutely walked this one with nearly 6 times the count of any other competitor.

Wrap Up

It seems likely that the reason for Microsoft’s recent post on file hosting services being used for identity phishing is because a bunch of their customers have been hit by exactly this, but not exclusively via OneDrive. We’ve seen this type of phishing for years, but our dataset is not phishing, it’s AiTM data… this means that the document phishing of the past has well and truly embraced MFA bypasses and is more focused on sessions than credentials. Definitely one to keep an eye on as it evolves. After all, increasingly, many of our workflows involve collaboration with files and documents.

If you’d like to use or dataset for your own purposes then you can subscribe to it here:

John Fitzpatrick https://www.lab539.com
Previous

Self Hosted Conditional Access Service
Next

AiTM Feed - Conditional Access