Threat actors are increasingly exploiting legitimate online services to conduct attacks for stealing credentials and exfiltrating data while remaining undetected from unsuspecting victims, according to security researchers at Check Point.

Credential harvesting continues to be one of the top attack vectors, with 59 percent of attacks tracked by Check Point involving credential theft. To obtain a victim’s credentials, phishing emails often contain a malicious URL or attachment. Based on Check Point’s telemetry more than 50 percent of malicious attachments are HTML files. And in order to fool the victim, many malicious HTML attachments are disguised as a login pages of legitimate services and vendors such as Microsoft. Check Point discusses a new method of using a legitimate form service’s API that makes malicious HTML files hard to block and easy to send the stolen credentials wherever the attacker chooses, even their own mailbox. To defend against this and other forms of credential theft, members are encouraged to remind end users to always be wary of messages that require urgent actions and ones that instruct them to click on a link, open an attachment, or enter their credentials to “gain access.” Users should also be reminded to reach out to the purported sender via another means of communication to confirm a message’s authenticity. Lastly, Check Point provides additional recommendations and potential indicators of compromise associated with this threat activity. Read more at Check Point.