WeTransfer Used to Bypass Email Security in Spam Campaign

Threat actors are abusing WeTransfer, a file-sharing service, to bypass email security protocols. The most recent campaign is actively targeting the energy, banking, and media industries and attempting to steal credentials for Microsoft services, such as Office 365. The threat actor uploads a file, typically an HTM or HTML file, to WeTransfer and then the targeted user receives a legitimate email from WeTransfer notifying the user that a file has been shared with them. The threat actor can personalize the notification to pique the user’s interest, making them more likely to open the file. When the user opens the file, they are redirected to a phishing site and prompted to enter Office 365 credentials, which will be sent to the threat actor if submitted. The NJCCIC recommends users avoid clicking on links and opening attachments within unsolicited or unexpected emails, and exercise extreme caution when choosing to take action on emails from known senders. When requested to log into an account, users are advised to navigate to the website by manually typing the URL into the address bar of their browsers. For further information, users can review the Cofense article.