Top document publishing services are being spoofed to send out malware

Best email services: image of email with one unread message alert
(Image credit: Future)

Hackers have found yet another cloud-based service they can use to bypass email protection and land phishing emails straight into people’s inboxes.

Security researchers from Cisco Talos have reported observing malicious files built on digital document publishing (DDP) platforms, such as Publuu, Marq, FlipSnack, Issuu, FlippingBook, RelayTo and SimpleBooklet. These platforms allow users to create interactive flipbooks out of PDF files.

The hackers would create countless free trial accounts, and use them to generate flipbooks containing links to malicious landing pages. They then use the platforms to distribute the documents to their victims.

Malicious files with an expiration date

Since the emails would come from a legitimate, trusted source, most of them would make it past email security gateways and into people’s inboxes. Victims could also be inclined to open the documents, given the perceived trustworthiness of the sender.

"Hosting phishing lures on DDP sites increases the likelihood of a successful phishing attack, since these sites often have a favorable reputation, are unlikely to appear on web filter blocklists, and may instill a false sense of security in users who recognize them as familiar or legitimate," Cisco Talos researcher Craig Jackson said.

Another advantage of DDP sites lies in the fact that the files hosted there have an expiry date, and get deleted after some time. That makes analysis difficult, since by the time security researchers are notified, the files are already long gone. 

The goal of the campaign, the researchers further explained, is to harvest Microsoft 365 credentials, as the links in the flipbook files usually lead to fake Microsoft 365 login pages.

Hackers abusing software-as-a-service (SaaS) to deliver phishing emails is nothing new. Even Google’s own productivity suite, Workspace, was abused, as Docs files, for example, can be shared with many recipients directly through the platform.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.