reports that more threat actors have been exploiting software-as-a-service platforms to host credential-stealing phishing
campaigns, with phishing URLs on SaaS platforms increasing by more than 1,100% between June 2021 and June 2022.
While SaaS platform abuse has increased across all categories, website builders, collaboration tools, and form builders had the biggest gains, according to a report from Palo Alto Networks Unit 42. Moreover, the exploitation of SaaS platforms began to significantly increase last October amid the growth in form builder abuse.
Many credential stealing pages have been directly hosted on the exploited SaaS platforms, with attackers sending phishing emails with a URL redirecting to the page, but other landing pages required another redirection step as they did not have the credential-stealing forms, researchers noted. Threat actors have also been leveraging bulletproof service providers to evade takedown requests.
"In the event that the final credential-stealing page is taken down, the attacker can simply change the link and point to a new credential-stealing page, preserving the effectiveness of the original campaign," said the report.