This new wave of attacks started in December 2021, and they are exploiting the fact that Adobe’s apps are designed to foster collaboration by sharing documents.
The attack is simple, really: the phishers create/import and host on Adobe Cloud an official-looking PDF pointing to a classic credential harvesting page hosted outside the Adobe suite (in this case, Weebly).
Then they share the document with the victims, who get a legitimate email from Adobe, saying that a document has been shared with them.
Recipients who follow the link in the email (“Open”) and then the link in the PDF (“Access Document”) are faced with a phishing page asking them to sign in with their Office 365 credentials to view the attached PDF.
The attackers are taking advantage of the trust that email security solutions place in Adobe, Fuchs noted. “Even more sinister is the fact that hackers can track the recipients who have opened and taken action on the PDF.”
Email security solutions should not rely on static Allow lists, he added, and they should be using a sandbox so they can open and inspect all links – now matter how many link “hops” have to be made to reach the final landing page.
End users, on the other hand, should remember not to inherently trust emails sent via online services as anyone can create legitimate accounts (or hijack them).
In this case, both the PDF and the phishing page have grammar and spelling errors that should raise users’ suspicion. While users whose first language isn’t English might not notice that, everybody should definitely find suspicious the fact that the fake Office 365-themed login page is hosted on Weebly.