More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence
Oct. 30, 2024, 9:31 p.m.
Tags
External References
Description
Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a DocuSign-branded image. Clicking the hyperlink redirects users to an Atlassian domain, then to a Microsoft-branded sign-in form. This technique bypasses secure email gateways and other security measures. Once credentials are entered, they are exfiltrated to the threat actor's domain. Such attacks can lead to various malicious activities, including spear phishing, business email compromises, and malware deployment. The use of trusted domains makes these attacks particularly effective and difficult to detect.
Date
Published: Oct. 30, 2024, 10:21 a.m.
Created: Oct. 30, 2024, 10:21 a.m.
Modified: Oct. 30, 2024, 9:31 p.m.
Indicators
82.180.130.33
https://kilgoreind.atlassian.net/wiki/external/ZTRhODM1N2U5Mzk5NGJmY2FmZWQ4NjI3YTVhNzhhYzA
Attack Patterns
T1193
T1534
T1199
T1102
T1192
T1204
T1056
T1566
T1078