Adobe Creative Cloud is a popular suite of apps for file-sharing, creating, and more. Popular apps include Photoshop and Acrobat.
Adobe’s apps foster collaboration with the ability to easily share documents. Though a common practice has been to spoof Adobe emails (see this earlier Avanan report), hackers are using Adobe as a gateway to malicious links.
Starting in December 2021, Avanan observed a new wave of hackers creating accounts in Adobe, and importing PDF files that redirect users to credential harvesting pages. In this attack brief, Avanan will analyze how Adobe Cloud has become an attack vector for hackers.
Attack
In this attack, hackers are utilizing the Adobe Cloud Suite to send credential harvesting links.
In this attack, hackers are creating an account within the Adobe Cloud Suite. Once they do this, they can easily import a PDF file. In that PDF file is a link that leads to a credential harvesting page. To the end-user, a legitimate email from Adobe will hit the inbox. This bypasses ATP protection since Adobe is a trusted sender and there’s nothing malicious inside the PDF itself.
Email Example #1
In this email, an innocent-looking PDF is sent via Adobe Acrobat:
This email appears as a genuine email from Adobe, sharing a PDF
Email Example #2
When clicking on “Open” the user is redirected to this Adobe Document Cloud page:
This is a PDF hosted on Adobe Cloud that leads to a credential harvesting page. Notice the grammatical errors.
Email Example #3
Should the end-user click on the “Access Document” link, they will be redirected to a classic credential harvesting page, which is hosted outside the Adobe suite:
This is the final step, a classic credential harvesting page.
Techniques
In this email attack, hackers found a way to leverage the Adobe cloud suite to nest and hide credential harvesting pages. In the last few weeks, Avanan has observed thousands of these attacks, including 400 since the start of the New Year.
This email takes advantage of the trust that email security solutions, in this case, ATP, place in Adobe. Even more sinister is the fact that hackers can track the recipients who have opened and taken action on the PDF.
Though there was a credential harvesting page at the end of the trail, the original email passes all traditional checks:
Further, several ways make this email difficult for scanners to stop and end-user to spot. The notification comes straight from Adobe. Users trust Adobe and are used to receiving documents from them. Adobe is also on most Allow Lists.
Additionally, the spoofed email looks just like a traditional email that an end-user would receive from Adobe.
Though the several hops to get to the final page may cause some red flags from discerning end-users, it won’t stop all who are eager to receive their documents, especially when the title of the PDF–in this case with the name closing–can instill urgency.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following: