Hackers Abuse Autodesk Drive For Hosting Weaponized PDF Files

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Autodesk Drive is a data-sharing platform for organizations to share documents and files in the cloud.

It also supports 2D and 3D data files, including PDF files, which are free to use when other Autodesk products are subscribed.

However, a new attack campaign has been discovered.

This campaign abuses this Autodesk hosting platform to host malicious PDF files, which leads to phishing attacks on victims.

This phishing attack is aimed explicitly at harvesting Microsoft login credentials.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Technical Analysis

According to the reports shared with Cyber Security News, threat actors have been using compromised email accounts to find and target new victims.

Using compromised email accounts makes it less suspicious for users to visit the embedded Autodesk links. 

The emails sent by the threat actors from these compromised accounts also include the legitimate email signature footer.

The phishing email from a compromised account with Signature footer (Source: Netcraft)

When victims click on the Autodesk drive links on these emails, they are taken to the links to view the PDF document, which mainly contains the sender’s name and the company they work for to add trust to the phishing attack.

PDF hosted with Autodesk containing the sender’s name (Source: Netcraft)

This PDF link will contain a “VIEW DOCUMENT” option, which embeds another phishing link that will take the visiting user to a Microsoft Login form.

This form looks exactly like the original Microsoft login form, in which the victim is asked for their username and password.

Phishing form (Source: Netcraft)

After entering their credentials, they are taken to a book about real estate investment hosted on Microsoft’s One Drive service.

Since OneDrive is a Microsoft-owned product, it gives the impression to the user that the document they saw was intended.

However, threat actors have harvested the credentials through the Spoof form.

Real estate investment document hosted on OneDrive (Source: Netcraft)


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Post Phishing Tactics

As threat actors now have the victim’s Microsoft credentials, they can use them to gain unauthorized access to sensitive company information and send many more phishing emails to target privileged Microsoft accounts.

A different behavior was noticed, which was the difference in languages. 

Threat actors are observed to have automated this phishing email, which changes the languages by using the sender’s locale.

To add proof to this speculation, a similar phishing email was sent from a Canadian manufacturing company that used French in the PDF.

French version of the malicious PDF hosted on Autodesk (Source: Netcraft)

Organizations and employees are advised to be aware of phishing attacks.

Additionally, every login form URL must be verified before entering the credentials. 

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo