More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence

Tags

External References

• https://securityboulevard.com/
• https://otx.alienvault.com/

Description

Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a DocuSign-branded image. Clicking the hyperlink redirects users to an Atlassian domain, then to a Microsoft-branded sign-in form. This technique bypasses secure email gateways and other security measures. Once credentials are entered, they are exfiltrated to the threat actor's domain. Such attacks can lead to various malicious activities, including spear phishing, business email compromises, and malware deployment. The use of trusted domains makes these attacks particularly effective and difficult to detect.

Date