Security researchers at Barracuda are warning of a recent surge in phishing attacks leveraging Adobe InDesign, a known and trusted document publishing system. Some of the attacks are targeted.
According to Barracuda telemetry, there has been a near 30-fold increase since October in emails carrying Adobe InDesign links. The daily count has jumped from around 75 per day to around 2,000 per day. Almost one in 10 (9%) of these emails carry active phishing links. A further 20% or so include removed content.
“To stay protected it is important to have advanced, multilayered and AI-powered email security in place, capable of spotting emerging as well as known threats.”
Many of the phishing links seen by Barracuda researchers have the top-level domain of “.ru” and are hosted behind a content delivery network (CDN) that acts as a proxy for the source site. This helps to obscure the source of the content and makes it harder for security technologies to detect and block the attacks.
Advanced to very basic attacks
Some of the attacks leveraging Adobe InDesign appear to be targeted at specific organizations or users. These emails carry legitimate brand logos that have probably been copied from other content or scraped from websites by the attackers. The logos are likely to have been chosen because they are known and trusted by the targets — and suggest the attackers spent time and resources crafting these messages.
The rest of the attacks are mainly generic mass-distributed messages featuring the OneDrive, SharePoint, and Adobe logos.
All the attacks are relatively straightforward and consistent in their approach, inviting the recipient to click on a link that will take them to another site, hosted on the indd.adobe[.]com sub domain but actually controlled by the attackers, for the next stage of the attack.
Why these attacks succeed
Phishing attacks continue to evolve to become more sophisticated, deploying different techniques and tactics to bypass security detection and trap victims.
The attacks leveraging Adobe InDesign employ several tactics to evade detection and trick targets.
- First, they leverage a known and trusted domain that is not commonly block listed.
- Second, by using a publishing program they can create highly convincing social engineering attacks.
- Third, once the recipient clicks on the link, they are moved to another web page. This means that there is no known malicious URL link in the main body of the message for traditional security tools to detect and block.
- Fourth, for those attacks hosted behind the CDN, this further helps to obscure the malicious source of the content and makes it harder for security technologies to detect and block.
How to stay safe
To stay protected it is important to have advanced, multilayered and AI-powered email security in place, capable of spotting emerging as well as known threats.
This should be accompanied by regular cybersecurity awareness training for employees. The training should be updated whenever new threat trends appear so that employees know what to look out for and what to do if they spot a suspicious or malicious email.
Barracuda’s detection data shows that some of the phishing attacks leveraging Adobe InDesign targeted multiple employees within the same organization — and the rapid reporting of and response to such attacks can stop it in its tracks.x