Illustrates the high-level flow a user follows to fall victim to these multi-step phishing campaigns that ultimately attempt to steal credentials.

A Link, Click, and a Phish Away! Using Legitimate Domains for a Multi-Step Phishing Attack

Key points:

  • Keep Aware continues to observe multi-step phishing attacks.
  • Phishing attacks are leveraging the trust of legitimate domains as intermediate steps.
  • Attackers are bypassing traditional security controls that rely on intel feeds.
  • Stopping zero-hour browser attacks happens at the browser level.


Keep Aware has observed phishing attacks that use legitimate domains to host links that eventually lead to a credential stealing web page. This article focuses on commonalities between two recent phishing attacks that require a victim to click links on multiple legitimate domains before ultimately landing on a fake login page.

This article also breaks down how these phishing attacks are effectively bypassing traditional security controls and briefly addresses the browser blindspot and the immense advantages of analyzing web activity at the browser level.

Attack Sequence: Click…Click…Click…Phish.

In recent phishing attacks stopped by the Keep Aware browser security platform, these attacks followed a very similar progression of steps. 

  1. Email:
    An email is sent to a victim with a link to a Dropbox file.
  2. Dropbox:
    The Dropbox file prompts the user to click yet another link.
  3. Google Drawings:
    The link leads to a Google Drawings, which yet again prompts the user to click a link in order to view a ‘secure file’.
  4. Malicious Domain:
    The link takes a victim to a fake login page and attempts to steal credentials.
Diagram. Depicts the attack chain observed in recent phishing campaigns. Note the attack chain utilizes legitimate sites to host intermediate web pages.

Though users were successfully prevented from progressing through the entire attack chain and have their credentials stolen, the above chain of events showcases how people-targeted attacks are piggybacking off of multiple legitimate domains. This tactic helps bypass security controls and guides the victim to a malicious web page.

In these recent attacks, both Dropbox ( and Google Drawings ( domains were utilized; both are well-known domains. Not only are most end users familiar with and trust these domains, but so do the technologies that protect users. This type of chained credential-stealing attack can successfully bypass much of an organization’s traditional security controls because this sequence leverages the trust of legitimate and reputable domains.

Bypassing Security

To protect their employees, many organizations have most of the following security technology in place:

  • Email security
  • Firewall
  • DNS filtering
  • Web proxy
  • A browser’s built-in browsing security
  • Endpoint Detection and Response (EDR)
  • Anti-virus (AV)

From the top-down, these security tools observe network traffic to/from Dropbox and Google, two legitimate and reputable domains.  As a result, they allow the phishing email through to the employee, enabling the user to click through the chain of links. What these tools might not allow is the user to browse to the malicious domain – but often only if the domain has been reported as malicious to these tools or to the feeds these tools subscribe to.

From the bottom-up, an AV or EDR can do wonders to assist with file-based or fileless malware on the employee’s device. However, since this credential-stealing attack never places malware on the device, these tools cannot detect that the user visited a fake login page or provided their credentials to a malicious actor.

Much of the above technology heavily relies upon lists of “known bad” – or, domains that have already been reported as malicious to relevant threat intelligence feeds. However, as observed in these recent attacks, the malintent web pages and malicious domains were neither blocked by the employees’ email security solutions nor by their browsers’ built-in security (e.g., Google’s Safe Browsing); they were also not reported as malicious according to the phishing feeds Keep Aware has access to and according to the variety of vendors on VirusTotal.

Without the ability to analyze a website’s characteristics and behaviors, tools are blind to accurate web activity and thus unable to prevent zero-hour attacks happening through the browser interface.

The Browser Blindspot and Keep Aware

When it comes to employees browsing the internet, activity via the browser presents a glaring blindspot for security within organizations and across industries – and the above chained attack demonstrates that malicious actors recognize this blindspot and use it to their advantage. 

However, by analyzing a web page’s characteristics and behaviors, Keep Aware is able to prevent end users from falling victim to a wide variety of browser-based attacks. Even with domains or web pages unreported on threat intelligence feeds, analyzing web activity at the browser level empowers IT and security defenders to prevent credential theft and other types of web attacks.

Conclusion: Continued Clicks for Successful Phish

Malicious actors have been successfully utilizing email and the web to deliver and to carry out their attacks. Attackers leverage the trust of legitimate websites to trick technology and to dupe end users. Nowadays, Keep Aware also observes the use of multiple legitimate domains used in attacks to bypass traditional security controls.

To accurately identify malintent web pages hosted on legitimate sites, ensure your security controls have, at the browser level, the visibility and capability to identify and respond to malicious characteristics and behaviors without the sole reliance on threat intelligence feeds.

With insight into browser activities, defenders can accurately and rapidly identify, prevent, and respond to incidents that occur where the general workforce spends over 80% of their time: the browser.

Learn more about the browser blindspot and how your organization can better protect itself from attacks that initiate or occur via the web.