Threatpost reports that threat actors have been exploiting Adobe Creative Cloud accounts to spread malicious images and PDF files with embedded links aimed at exfiltrating credentials belonging to Microsoft Office 365 and Gmail users, a report from Avanan revealed.
Researchers said that the ongoing campaign, which was first detected last month, involves attackers creating free Adobe Cloud accounts where they will create PDFs or images with malicious links that will be spread through email.
Attackers were found to send emails with a seemingly legitimate PDF named Closing.pdf with an “Open“ button, which when clicked will redirect recipients to an Adobe Document Cloud page, which is actually a typical credential-harvesting page hosted by an attacker-controlled domain, according to Avanan Cybersecurity Research Analyst Jeremy Fuchs.
Another email used in the attack was a spoofed Adobe notification found to have grammatical errors.
“Though the several hops to get to the final page may cause some red flags from discerning end-users, it won’t stop all who are eager to receive their documents, especially when the title of the PDF — in this case ’Closing’ — can instill urgency,“ said researchers.