Darktrace researchers have outlined a particularly scary scenario of how threat actors are bypassing MFA and using artificial intelligence to launch sophisticated phishing attacks against users.
The case study “leveraged legitimate Dropbox infrastructure and successfully bypassed multifactor authentication (MFA) protocols…which highlights the growing exploitation of legitimate popular services to trick targets into downloading malware and revealing log in credentials.” The threat actors rely on users trusting legitimate emails and logos to harvest credentials.
In the case study, a legitimate Dropbox domain was used to lure the user into believing it was real—”no-reply@dropbox[.]com.”
According to an interview by Infosecurity Magazine, this is a legitimate email address used by the Dropbox file storage service.
The email contained a link that would lead the user to a PDF file hosted on Dropbox, which was seemingly named after a partner of the organization.
This PDF file contained a suspicious link to a domain that had never previously been seen on the customer’s environment, named “mmv-security[.]top.”
Although Darktrace detected the email, the user received a second email urging the user to open the first PDF. The user clicked on the link and was directed to a fake Microsoft 365 login page, and the user probably accepted an MFA push. The article is very interesting and informative on the newest ways threat actors are obtaining credentials and using AI to attack users. Users need to be as suspicious of the use of legitimate platforms as they are of detecting fake ones and always be cautious about accepting MFA requests.