Phishing Campaign Bypasses Email Gateways via WeTransfer Alerts

A phishing campaign using WeTransfer notifications as surrogates for the run-of-the-mill malicious URLs usually employed in these type of attacks was recently detected while successfully bypassing email gateways developed by Microsoft, Proofpoint, and Symantec.

WeTransfer is a cloud-based file hosting and transferring service, with support for hosting and sharing files of up to 2 GB for the free tier and up to 20 GB for the paid Plus service.

The phishing attacks observed by security researchers at the Cofense Phishing Defense Center targeted a wide range of high profile entities from industries such as media and banking.

Legitimate WeTransfer 'shared files' notifications were embedded within the phishing messages that landed in the targets inboxes, with the WeTransfer links helping the emails evade the gateway's malicious content detection algorithm. 

"The attackers utilise what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file," researchers discovered. 

Phishing email sample
Phishing email sample

WeTransfer used to host phishing redirectors

To make the WeTransfer notification look more convincing, the threat actors added custom notes to the phishing emails, often choosing to camouflage them as invoices ready to be reviewed.

This is a very popular phishing tactic designed to lower the targets' guard and taking advantage of the drop in vigilance as they open links they otherwise wouldn't even consider clicking.

After the victims click on the "Get your files" button at the bottom of the WeTransfer notification — which passes all the security checks with flying colors — they will get "redirected to the WeTransfer download page where a HTM or HTML file is hosted and thus downloaded by the unsuspecting victim."

WeTransfer hosting page
WeTransfer hosting page

Once the downloaded HTML file is opened, the phishing landing page will be opened in the victims' default web browser as part of the final stage of the attack designed to trick them into giving away their credentials for Office 365 and various other online services.

"As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites," conclude the Cofense researchers.

Office 365 phishing landing page
Office 365 phishing landing page

High variety of baiting techniques

While monitoring the latest phishing attack trends, Cofense discovered several other active phishing campaigns employing a variety of techniques designed to steal their targets' sensitive information.

For instance, just a week ago, phishers were seen using a base HTML element to hide the malicious URL from antispam solutions, a tactic that helped them circumvent the Office 365 Advanced Threat Protection (ATP) security checks and deliver their messages to inboxes of American Express customers.

A malspam campaign delivering fake eFax messages that would drop a banking Trojan and RAT cocktail via malicious Microsoft Word document attachments was observed during early July.

Cofense researchers unearthed another phishing campaign which abused QR codes in June that would redirect targets to phishing landing pages, effectively dodging security solutions and controls intended to stop such attacks in their tracks.

Related Articles:

Beware of Fake Microsoft OneNote Audio Note Phishing Emails

Leapfrog Children’s Tablet Owners Should Remove Pet Chat Now

Clever Amazon Phishing Scam Creates Login Prompts in PDF Docs

Is Your Email One of 200 Million Targeted by Extortion Scams?

Beware of Emails Asking You to "Confirm Your Unsubscribe" Request