Enterprises across Australia and the APAC region have been warned that cyber criminals are exploiting popular platforms like Atlassian to launch more convincing phishing attacks on law firms and other corporations. These attacks aim to steal employee credentials and breach company cyber security defences.

Ryan Economos, APAC field chief technology officer at email security firm Mimecast, told TechRepublic that such phishing attacks are rare in their use of Atlassian as a cover. But he noted that phishing attacks are becoming increasingly sophisticated, thanks to phishing kits and AI, which make it easier for cyber criminals to execute their activities.

Atlassian workspaces, Japanese ISPs, and a compliance cover story

Mimecast’s Global Threat Intelligence Report 2024 H1 reported on the emergence of a new phishing tactic that used a compliance update cover story to target law firm employees. The phishing attacks:

  • Leveraged popular local brand Atlassian’s workspaces, as well as other unified workspace platforms, including Archbee and Nuclino, to send employees harmful emails that looked familiar and legitimate.
  • Used device compliance updates as a cover, instructing employees via email that they needed to update their devices to remain compliant with company policy.
  • Were designed to redirect those who clicked the link to a fake company portal, where attackers could harvest credentials and other sensitive information.
  • Embedded the phishing link in an email sent from addresses associated with Japanese ISPs.

“There’s quite a lot of personalisation in the emails such as details of a ‘device’ and several references to the company domain they are sending these campaigns to increase validity,” Mimecast’s report said.

SEE: Australia’s legal profession is rushing to adopt AI

“The sender address name always refers to the target organisation’s domain name with the aim of fooling end users into thinking it is from their internal department.”

The growing sophistication of phishing attacks

Economos noted that while the campaign initially targeted Australian law firms, it has since expanded to other industries and is no longer confined to the legal sector. He highlighted several aspects of the campaign that indicate increasing sophistication among threat actors.

Use of Atlassian and other workspaces

Economos said the growing use of Atlassian workspaces was a newer development for the market.

“Mimecast continues to see threat actors making use of services such as OneDrive and Google Docs to host files or links in their campaigns, but the use of workspaces such as Atlassian has not been heavily abused previously,” he said.

Part of the campaign was an email that appeared to be from Atlassian’s Confluence product. Mimecast referred to a “noticeable increase in the use of Atlassian” to evade detection in recent times.

“Abuse of legitimate services is an ongoing and evolving challenge,” Economos said. “Attackers will continue to leverage reputable sources to launch and host their campaigns, in an attempt to evade detection.”

SEE: The alarming state of data breaches in Australia in 2024

Harvesting of tracker data intelligence

The campaign used postmark URLs to redirect users to the unified workspace solutions. Postmark URLs allow attackers to gather data such as location, browser details, and which part of the email was clicked, enabling them to leverage this intelligence to make the phishing lure more convincing.

Multiple URL obfuscation techniques

Making it more difficult for users to identify the true destination of the URL, the phishing campaign used “multiple obfuscation techniques,” Mimecast said. This includes multiple redirections within the URL, encoded characters, and the insertion of tracking parameters.

Enlisting unsuspecting Japanese ISPs

Although the use of Japanese ISPs is not unique to this phishing campaign, Economos noted that they were exploited once again, as they had in several previous attacks.

“It continues to expose the lengths that threat actors will go to in order to successfully generate attacks on organisations,” he commented.

Phishing attacks will get easier to mount — and more convincing

Phishing is still among the most common cyber threats among organisations, Economos said.

Generative AI and machine learning, while also helping defenders stop attacks, is expected to increase the sophistication and improve the targeting and content of phishing campaigns. This will drive defenders’ need to detect and quickly respond to new and novel attack techniques.

SEE: APAC employees are choosing convenience over cyber security

“The biggest evolution has been the velocity and accuracy of phishing threats, through the use of phishing kits, automation, and AI-based technologies,” Economos said. “These platforms allow even low-skill-level attackers to launch large-scale campaigns and an ability to quickly craft more convincing phishing emails to evade detection by traditional security tools.”

Economos also noted the rise of pretexting — where a cyber criminal will research and pose as a character to provide a convincing story or “pretext” to trick the phishing victim — as well as Business Email Compromise, as significant factors in the evolution in the phishing threat landscape.

“As our work surfaces continue to diversify, threat actors are diversifying the vectors they exploit beyond email, targeting social media platforms, collaboration tools like Microsoft Teams, Slack, and OneDrive right through to vishing and smishing attacks using phone calls or text messages to deceive victims,” he said.

Tech