Phishing with Fabric - A “Universal Workspace”

Summary  

RADICL recently observed a phishing campaign that leverages tried and true techniques but this time with a new cloud service. The service in question is Fabric which markets itself as a “universal workspace and smart organizer for all your ideas, files, notes, projects, links and screenshots”. The threat actor creates a fake invoice document like what we’ve seen historically using OneDrive/Sharepoint and hosts it on their Fabric page. They then create a share link which takes the format of hxxps://go[.]fabric[.]so/i/<alphanumeric_id>.  Additionally, the campaign makes use of a Cloudflare Captcha test to both thwart automated scanning and to add a degree of legitimacy to the campaign. After passing the Captcha the victim is directed to a fake O365 login page wherein the threat actor can steal O365 credentials if they are entered in. See the below screenshots for a visual depiction of the attack. 

Step 1: The Fabric Site 

Upon clicking the fabric[.]so link the victim will be directed to the below landing page. Notice that the site is a legitimate Fabric page asking the victim to review a document by clicking the link (which leads to the actual phishing page). 

Step 2: The Captcha 

Upon clicking the review document link the victim is presented with a CloudFlare Captcha page. This will both thwart automated scanning and provide an air of legitimacy to the phishing page.

Step 3: Outlook Simulation 

After checking the Captcha the phishing site will simulate Outlook opening to provide context for why the victim needs to sign in to O365 

Step 4: O365 Look Alike Page for Credential Stealing 

Finally, the victim is brought to an O365 look alike page and if they enter in their credentials they are compromised.

Conclusions and Recommendations  

To protect against this kind of attack you should teach your users to ALWAYS check the URL of a login page to ensure its legitimate before entering in their credentials. Passwords managers can help with this, especially when they are set to autofill login pages. If the URL does not match the URL saved in the password manager the autofill will NOT activate making your users slow down and think before manually typing. Finally, teach your users that if they click an email link that directs them to a web document asking them to click another link it’s likely malicious and should be reported. 

If one of your users DID fall victim to this campaign, rotate the compromised account's credentials AND terminate all active sessions. Additionally, review any account activity between link clicking and password reset.