The “Evernote for creatives” sees an increasingly threatening phishing attacks campaign, going fully unnoticed by SEGs.
Milanote App, Hit By Phishing Attacks
The Milanote app, also known as the “Evernote for creatives,” has been noticed lately by cybercriminals who seek to exploit it to carry out credential-stealing attacks that evade secure email gateways with ease, researchers said.
Milanote is an app that offers users tools for organizing and collaborating on creative projects. It counts many heavy names as customers, such as Chanel, Facebook, Google, Nike, and Uber.
According to an Avanan report posted on Thursday, hackers trick victims by starting with an email that has the subject line “Invoice for Project Proposal.” The body doesn’t give away too many details, nor does it contain logos or personalization: “Hello. See attached invoice for the above-referenced project. Please contact me if you have questions or need additional information. Thank you.”
“The email itself is pretty standard issue. It gets attention with the subject of ‘Invoice for Project Proposal.’ It’s certainly not the most sophisticated effort in the world, however, it understands what emails can get past static scanners, including, in this case, Milanote,” Gil Friedrich, CEO and co-founder of Avanan, said.
If the target opens the attachment, they will open a document with only one line in it (“I have shared a file with you. Please click the link[s] below to download”) followed by a clickable button that says “Open Docs.”
Should the user click the button, they are redirected to a page hosted on the Milanote service:
By clicking on this final link, the victim is taken to a phishing page that attempts to steal several types of login information.
Tricking the App’s Defenses
There has been a massive increase in slippery phishing attacks lately, according to Avanan. The firm examined 1,430 emails that contained a link to Milanote in some form, with a whopping 1,367 of them actually being part of phishing attacks.
“This does not necessarily mean that Milanote should not be trusted. What it does mean, however, is that hackers have found great success in targeting SEGs using services like Milanote that can host files,” Friederich added.
The phish is not detected and flagged by the majority of SEGs or conventional security systems since the malicious link is well hidden in the attack chain. Having involved a legitimate service in the phishing attacks only adds to the probability of people falling for them.
“[Most] use static scanners to scan attachments or links for malicious payloads,” Friederich stated. “In response, hackers are bypassing those detection mechanisms by nesting the payloads in deeper layers within legitimate services, fooling the static scanners. This is part of a larger trend of hackers utilizing legitimate services to host malicious content. Because the scanner doesn’t go that deep, hackers can leverage these services to host their content and easily send it to users.”
According to Avanan, hackers are using this trick more and more, across many services.
“All sorts of attacks utilizing static links are skyrocketing. For example, we’ve seen tremendous phishing attacks leveraging a number of different sites that are Allow Listed – Google Docs, MailGun, HostGator, among others. We expect this to continue to grow in the near future.”
Collaboration Apps: Focus Target for Cybercriminals
Collaboration apps have been on the rise for a while now. Hackers turned to them to exploit their huge potential and find new ways to social-engineer and trick security.
“Work and communication don’t happen on just email. As we’ve seen throughout the pandemic, work happens everywhere,” Friederich stated. “We’re talking to people on Zoom, sharing thoughts on Slack, using whiteboards on Jamboard and thousands of other services. Email is still incredibly important, of course, but there are other places where information is transmitted.”
This only broadens the potential target list for phishing attacks.
“Instead of just email, hackers can bring malicious links to where users are. For many of these collaboration apps, it provides an easy in for hackers,” Friedrich said. “Users might have their guard down on such sites, given they haven’t had the same phishing training there. It becomes an easy way to score up a lot of potential targets.”
In order to protect themselves from phishing attacks, users should learn and apply the best cybersecurity practices regarding phishing, Friederich advised.
“That means inspecting links before opening, being wary of unfamiliar senders, showing caution around emails about invoices and payments, picking up on any inconsistencies in the sender address and paying close attention to spelling and grammar,” he said.
Phishing attacks are all the more dangerous when they hit companies. Yours could be next.
Train your employees to spot phishing attempts with ATTACK Simulator’s 4-Step Phishing Simulations.
Invest a small amount today to protect your business’s tomorrow and possibly spare a fortune. Get your quote here.