Businesses in Australia and the APAC region have been warned that cybercriminals are exploiting popular platforms like Atlassian to launch more convincing phishing attacks against law firms and other corporations. These attacks aim to steal employee credentials and breach the company's cybersecurity defenses.
Ryan Economos, APAC field technology director at email security company Mimecast, told TechRepublic that these types of phishing attacks are rare using Atlassian as a cover. But he noted that phishing attacks are becoming increasingly sophisticated thanks to phishing kits and artificial intelligence, which make it easier for cybercriminals to carry out their activities.
Atlassian Workspaces, Japanese ISPs, and a Cover Story on Compliance
Mimecast's 2024 H1 Global Threat Intelligence Report reported on the emergence of a new phishing tactic that used a compliance update cover page to target law firm employees. Phishing attacks:
- It leveraged workspaces from popular local brand Atlassian, as well as other unified workspace platforms, including Archbee and Nuclino, to send employees harmful emails that looked familiar and legitimate.
- It used device compliance updates as cover, telling employees via email that they needed to update their devices to remain compliant with company policy.
- They were designed to redirect those who clicked on the link to a fake business portal, where attackers could harvest credentials and other sensitive information.
- The phishing link was embedded in an email sent from addresses associated with Japanese ISPs.
“There is a lot of personalization in the emails, such as details of a 'device' and several references to the domain of the company they send these campaigns to to increase validity,” the Mimecast report says.
SEE: Australia's legal profession rushes to embrace AI
“The sender address name always refers to the domain name of the target organization with the goal of tricking end users into believing it is coming from their internal department.”
The increasing sophistication of phishing attacks
Economos noted that while the campaign was initially targeted at Australian law firms, it has since expanded to other industries and is no longer limited to the legal sector. He highlighted several aspects of the campaign that indicate growing sophistication among threat actors.
Using Atlassian and other workspaces
Economos said the growing use of Atlassian workspaces was a more recent development for the market.
“Mimecast continues to see threat actors making use of services like OneDrive and Google Docs to host files or links in their campaigns, but the use of workspaces like Atlassian has not been widely abused before,” he said.
Part of the campaign was an email that appeared to be from Atlassian's Confluence product. Mimecast referred to a “notable increase in the use of Atlassian” to evade detection in recent times.
“Abuse of legitimate services is an ongoing and evolving challenge,” Economos said. “Attackers will continue to leverage reputable sources to launch and host their campaigns, in an attempt to evade detection.”
SEE: The alarming state of data breaches in Australia in 2024
Tracker Data Intelligence Collection
The campaign used postmarked URLs to redirect users to unified workspace solutions. Postmark URLs allow attackers to collect data such as location, browser details, and which part of the email was clicked, allowing them to leverage this intelligence to make the phishing lure more convincing.
Multiple URL obfuscation techniques
To make it more difficult for users to identify the true destination of the URL, the phishing campaign used “multiple obfuscation techniques,” Mimecast said. This includes multiple redirects within the URL, encoded characters, and the insertion of tracking parameters.
Recruiting unsuspecting Japanese ISPs
Although the use of Japanese ISPs is not unique to this phishing campaign, Economos noted that they were exploited once again, as they had in several previous attacks.
“It continues to expose the lengths to which threat actors will go to successfully launch attacks against organizations,” he said.
Phishing attacks will be easier to mount and more convincing
Phishing remains one of the most common cyber threats among organizations, Economos said.
In addition to helping defenders stop attacks, generative AI and machine learning are expected to increase the sophistication and improve the targeting and content of phishing campaigns. This will drive the need for defenders to quickly detect and respond to new and novel attack techniques.
SEE: APAC employees prefer convenience over cybersecurity
“The biggest evolution has been the speed and accuracy of phishing threats, through the use of phishing kits, automation and AI-based technologies,” Economos said. “These platforms allow even less skilled attackers to launch large-scale campaigns and have the ability to quickly create more convincing phishing emails to evade detection by traditional security tools.”
Economos also highlighted the rise of pretexting (in which a cybercriminal investigates and impersonates a character to provide a convincing story or “pretext” to trick the phishing victim), as well as business email compromise, as important factors in the evolution of phishing. threat landscape.
“As our work surfaces continue to diversify, threat actors are diversifying the vectors they exploit beyond email, targeting social media platforms, collaboration tools like Microsoft Teams, Slack and OneDrive to vishing and smishing attacks. using phone calls or text messages to deceive. victims,” he stated.
