Early this morning, Denmark, Germany and several surrounding Scandinavian countries were hit with a large volume malware attack. The attack leveraged the legitimate cloud storage service Dropbox to host their malware payloads while attempting to disguise the links with random strings of characters and varying filenames. In the past 12 hours, we have quarantined thousands of these messages, which only represents a small percentage of the total message volume.
The messages purport to contain shipping details along with a fake "invoice:"
We have seen just about every file hosting service being abused at one point or another but Dropbox remains a very popular vector for attackers. Dropbox did identify and disable these links a short time after the attack happened but there was still a window of opportunity—which is often all they are looking for. Lately we have seen more email providers tighten restrictions on what type of files can be sent/received as an attachment. In response, malware distributors, whom are always looking for a weakness to exploit, have embraced file sharing as an alternative means to distribute those malicious files. We expect this trend to continue throughout the year.