More Than Just a Corporate Wiki? How Threat Actors are Exploiting Confluence

Oct. 30, 2024, 9:31 p.m.

Description

Threat actors are increasingly using legitimate third-party business software to evade detection and maintain deception. Atlassian's Confluence is being exploited to host malicious content, leveraging its trusted domain status. The attack involves an email with an Excel attachment containing a DocuSign-branded image. Clicking the hyperlink redirects users to an Atlassian domain, then to a Microsoft-branded sign-in form. This technique bypasses secure email gateways and other security measures. Once credentials are entered, they are exfiltrated to the threat actor's domain. Such attacks can lead to various malicious activities, including spear phishing, business email compromises, and malware deployment. The use of trusted domains makes these attacks particularly effective and difficult to detect.

Date

Published: Oct. 30, 2024, 10:21 a.m.

Created: Oct. 30, 2024, 10:21 a.m.

Modified: Oct. 30, 2024, 9:31 p.m.

Indicators

82.180.130.33

https://kilgoreind.atlassian.net/wiki/external/ZTRhODM1N2U5Mzk5NGJmY2FmZWQ4NjI3YTVhNzhhYzA

Attack Patterns

T1193

T1534

T1199

T1102

T1192

T1204

T1056

T1566

T1078