Top document publishing services are being spoofed to send out malware

Hackers are always looking for new ways to bypass email security

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers have found yet another cloud-based service they can use to bypass email protection and land phishing emails straight into people’s inboxes.

Security researchers from Cisco Talos havereportedobserving malicious files built on digital document publishing (DDP) platforms, such as Publuu, Marq, FlipSnack, Issuu, FlippingBook, RelayTo and SimpleBooklet. These platforms allow users to create interactive flipbooks out of PDF files.

The hackers would create countless free trial accounts, and use them to generate flipbooks containing links to malicious landing pages. They then use the platforms to distribute the documents to their victims.

Malicious files with an expiration date

Since the emails would come from a legitimate, trusted source, most of them would make it past email security gateways and into people’s inboxes. Victims could also be inclined to open the documents, given the perceived trustworthiness of the sender.

“Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate,” Cisco Talos researcher Craig Jackson said.

Another advantage of DDP sites lies in the fact that the files hosted there have an expiry date, and get deleted after some time. That makes analysis difficult, since by the time security researchers are notified, the files are already long gone.

The goal of the campaign, the researchers further explained, is to harvestMicrosoft365 credentials, as the links in the flipbook files usually lead to fake Microsoft 365 login pages.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Hackers abusing software-as-a-service (SaaS) to deliver phishing emails is nothing new. EvenGoogle’s own productivity suite, Workspace, was abused, as Docs files, for example, can be shared with many recipients directly through the platform.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics