A recent phishing attack posing as a PDF decoy from a Denver law firm was stealing clients’ Office 365 credentials. The phishing bait was hosted in Azure blob storage and contained a Microsoft-issued domain and SSL certificate, making it particularly believable.fake-pdf

Since the phishing bait was hosted in Azure blob storage, it had a Microsoft-issued SSL certificate and domain, making the attack vector especially convincing and difficult to detect.

Since the PDF decoys appear to be credible, users felt comfortable entering their Office 365 credentials to download the document, added the release.

Azure Blob storage is a Microsoft storage solution that can be used to store unstructured data such as images, video, or text. One of the advantages of Azure Blob storage is that it accessible using both HTTP and HTTPS, and when connecting via HTTPS, will display a signed SSL certificate from Microsoft.

The attack targeted clients of a law practice, who received an email from the firm with a PDF decoy titled “Scanned Document…Please Review.pdf.,” Victims would attempt to download the PDF, then be prompted to enter credentials for Office 365. After inputting their personal information, they would be redirected to another phishing page claiming that the email or password entered was invalid.

After many redirects, the target is eventually taken back to a Microsoft page, with no document downloaded. With no document downloaded, victims may feel compelled to try and re-enter their credentials, or enter credentials to a different account, becoming further compromised.

The attack was believable enough to trick most people. But, it was particularly deceiving since it was designed to trick users who know to check that the domain and SSL certificate of a website matches its content.

Users who are savvy enough will be able to recognize it is a malicious site because of the subdomain, which shows that it’s Azure blob storage instead of an official Microsoft address, added the release.

This tactic is evidence that phishing attacks are becoming more clever and tricky. In order to stay protected, companies should teach their employees how to recognize Azure, AWS, and GCP object store URLs, so they are able to recognize when a site might be malicious, said the release.