Virtualization Technology News and Information
VMblog Expert Interview: Rajat Upadhyaya of Armorblox Details Latest Research on Microsoft Phishing Attack Hosted on Google Firebase

interview armorblox upadhyaya 

This past week, Armorblox's threat research team discovered impersonation of invoice-themed email attack attempts hitting customer environments, luring them to click on dangerous links to obtain Electronic Funds Transfer (EFT) payments.  In this attack, hackers once again have availed the use of cloud office providers, in this case Microsoft Office 365 branding and Google Firebase hosted landing page, in their pursuit of extracting Microsoft login credentials and personal information such as alternate email address and phone number from victims.

Now, Armorblox has released its latest findings that reveal the intricate directives of this new attack.  To learn more, VMblog reached out to Rajat Upadhyaya, Head of Engineering at Armorblox.

VMblog:  Armorblox just published threat research outlining a Microsoft phishing attack that was hosted on Google Firebase.  Can you provide a brief overview of the attack?

Rajat Upadhyaya:  The email attack highlighted in our research pretends to share information about an EFT payment with a link to download an HTML invoice. Opening the HTML loads a page with Microsoft Office branding that's hosted on Google Firebase. The final phishing page looks to extract the victims' Microsoft login credentials, alternate email address, and phone number.  

VMblog:  What techniques employed by cybercriminals enabled this email attack to bypass native Microsoft security controls?

Upadhyaya:  This email attack employed a variety of techniques, covering most bases to successfully evade native Microsoft email security. Some of these techniques include:

  • Passing authentication by using SendGrid.
  • Social engineering by crafting the email title and body to convey financial urgency.
  • Impersonating the Microsoft brand on the final phishing page to trick users into giving up their credentials. 
  • Hosting the final URL on Google Firebase to lend the domain a legitimacy that allowed it to bypass email security filters and blocklists.
  • Employing link redirects and HTML downloads to obfuscate the attack flow and stop security technologies from following the link to its final destination.

VMblog:  The final phishing page was hosted on Google Firebase.  Why would you say this is noteworthy?  Have you observed this technique before?

Upadhyaya:  Hosting the phishing page on Firebase is noteworthy because Google domains have an inherent legitimacy that makes it impossible to preemptively block these URLs using legacy email security filters. The Armorblox threat research team has observed this technique (and other related ones) before. Cybercriminals are regularly exploiting free Google services to launch phishing attacks. Our research note on these attacks from a few months ago covers email scams that used Google Docs, Forms, Sites, and Firebase. 

VMblog:  Do you have any tips and recommendations for organizations looking to protect themselves against such email attacks? 

Upadhyaya:  It's important to follow email security hygiene and best practices to protect against these attacks, or at least contain their impact.  

  • Deploy two-factor authentication (2FA) on all possible business and personal accounts.
  • Don't use the same password on multiple sites/accounts.
  • Use a password management software to store your account passwords.
  • Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
  • Don't repeat passwords across accounts or use generic passwords such as your birth date, ‘password123', ‘YourName123' etc.

Organizations should also not rely solely on native Microsoft email security, which provides a good base but is not meant to constitute the entire email security stack. The email highlighted in our research got past Microsoft's Exchange Online Protection (EOP), with an assigned Spam Confidence Level (SCL) of 1, which means either the email skipped past spam filters or EOP determined that it wasn't spam. For better protection coverage against targeted email attacks, organizations should augment built-in Microsoft capabilities with technologies that take a materially different approach to threat detection. Gartner's Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.

VMblog:  How was Armorblox able to detect the attack? 

Upadhyaya:  Armorblox analyzes thousands of signals across identity, behavior, and language to detect advanced email attacks that get past traditional security layers. With most advanced email attacks, there's no one signal or red flag that leads to detection, but rather a confluence of telltale signs that results in Armorblox flagging the email as suspicious. 

Some Armorblox insights that led to the attack being detected were:

  • Low communication history: Armorblox detected that the sender email in question had a low communication history with the victims' email accounts. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.
  • Language, intent, and tone: Armorblox language models have been trained on tons of data and further customized to suit every customer environment. These models analyzed the email body and detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks). Armorblox language models also detected multiple financial terms used in the email.
  • Low domain frequency: Armorblox ML models have three tiers - a global model, an organization-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organization-specific model also detected that the attacker's domain had not communicated with the target company as a whole.
  • Suspicious URL: Armorblox detected the presence of a suspicious URL in the email, based on factors including but not limited to threat intel sources, suspicious redirections, language associated with the link, dissonance between the link’s purported objective and where it actually led to, and so on.

VMblog:  How can readers get their hands on this research to learn more?

Upadhyaya:  Readers can access the full research note here: 

For folks interested in staying up to date with the latest email security trends and attack research, check out other Blox Tales (i.e. email attacks caught by Armorblox) by visiting our blog and going to the ‘Use Cases' section:


Published Monday, February 08, 2021 7:43 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<February 2021>