publishing date icon
May 17, 2022
read time icon
5 min. read

How hackers hide behind trusted services

Post hero image

Table of contents

share this post

Hackers are always coming up with new tricks to lower your defenses and manipulate your trust. You might have been taught to hover over links to see wether they’ll actually take you to the website referenced in the email subject, or to somewhere dodgy. You’ve probably even spotted a few malicious links and prevented unwanted headaches by doing so. Unfortunately, even after hovering over a url and seeing a reputable domain such as adobe.com or google.com, you could still end up getting your credentials stolen or downloading a virus.

Avoiding filters and mitigating hovering

Attackers constantly devise new ways to circumvent spam filters and the increasing awareness of end users. Spam filters easily catch emails containing malicious links that are not obfuscated in any way, such as through redirecting services like bit.ly. At the same time, users are becoming more aware of how to recognize malicious emails with techniques like hovering.

One solution to both of these “problems” (from the attacker's perspective) is to send and host their malicious links and attachments via services that we all know and, most importantly, trust. Microsoft services are prime examples. A spam filter cannot blacklist a domain ending with live.com because doing so would block numerous Microsoft services used in day-to-day business activities. Moreover, a user will trust a legitimate Microsoft domain, making this method quite effective for phishing campaigns, albeit not  as common as using some redirecting services.

An attacker can host a malicious website on their own server or on a public cloud hosting service. But these often get taken down quickly, usually within a few days. Even though the lifespan of a phishing email isn’t long, if the attacker's website is taken down immediately then the phishing email is useless.

So, how are these trusted services hijacked by attackers?

Here are a few examples to demonstrate how legitimate sites are used for nefarious purposes.

Adobe phish

File shared through adobe. Sender is legitimately Adobe.


The link used in the adobe email.


Malicious file hosted on adobe.com behind previous link.

OneNote phish

Malicious link hosted on a Microsoft-owned domain using OneNote - onedrive.live.com

Google Drive phish

Malicious files hosted on Google Drive - drive.google.com

Google website hosting phish

Hosted on sites.google.com. Links to a malicious site.

Legitimate sites such as adobe let attackers host links and attachments on their own site. This means that the malicious content url will end with legitservice.com making it impossible to notice. There is little use in hovering over the link or sometimes even checking the sender domain, unless you are already aware of these tricks. It is harder for the user to blindly trust the good ol' hovering method.

This is why context matters! Most of these links to the legit sites hosting malicious links or files will not be relevant to the context of the email.

Often, the sender of such emails is not the website host, or even anyone related to the email. Typical examples are bank phishes and IT department impersonations. The good thing about these links in most cases is that because they are on a legit service, nothing malicious happens just by clicking the initial link. It’s the malicious site you’re then taken to where things get dangerous. There, whatever you click or download, or whatever credentials you enter, could do harm.

Attack sites using legit services to host malicious links or files stay up markedly longer than sites on regular web-hotels or free hosting services. While researching this blogpost, I found several month-old phishing sites still up and running on legit services, compared to most phishing sites that are taken down in a a day or two.

A few sites where you shouldn’t place your trust just based on the domain:

acrobat.adobe.com

express.adobe.com

onedrive.live.com

web.core.windows.net

forms.office.com

drive.google.com

groups.google.com

sites.google.com

amazonaws.com

swisstransfer.com

wetransfer.com

Any file sharing service

Staying off the hook

  • Think twice about downloading anything. If you clicked on a link that looked trustworthy, think about whether the site that you are presented with is relevant to the email. If it contains a new link to somewhere else, you know what to do - hover! You should know that if you are on a website that is managed by the attacker, hovering over a link can be spoofed to show a different url.
  • Just because you have to login to a legit service, doesn’t mean that the content there is safe. A good example is a google drive link. It can still contain malicious files and links even after a login.
  • Remember context! Even a legitimate website domain isn’t safe if it has nothing to do with the email.

Hoxhunt response

We are seeing what experts have predicted: The fighting in Ukraine contains an unprecedented cyber dimension. Fallout is seeping into inboxes around the world. Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Also learn how to equip your employees with the awareness training that will protect your company from phishing scams.

How has DocuSign integrated Hoxhunt into their behavioral science-approach to security training?

Hacking through the brain's obstacles to learning with reward-based practice that people actually like

Watch the webinar with Lisa Kubicki, Director of Trust & Security Training & Awareness at DocuSign

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.