Skip to content
Unlike a typical spray-and-pray phishing campaign, the Dropbox attacker knew precisely how to bypass credentials and hard token OTPs.

Phishing Strikes Again in Dropbox Breach

On November 1st, 2022, Dropbox confirmed that a data breach involving a threat actor had occurred and that credentials, data, and other proprietary information from GitHub code repositories had been accessed. This breach, like so many before it, was the result of a single person, a Dropbox developer, falling victim to phishing. Dropbox is one of many that have been breached via sophisticated phishing campaigns recently. 

Over the last few years, there have been significant increases in the volume and advancement in the sophistication of phishing campaigns. According to Cybertalk, in 2021, 83% of organizations reported experiencing phishing attacks. In 2022, an additional six billion attacks are expected to have occurred. 

It is unsurprising that phishing attacks have seen such rapid growth, as research shows at least a quarter of all data breaches can be traced to some degree of human error. In this particular case, not only did the user interact with a phishing email imitating CircleCI, but the landing page used to capture the login credentials also prompted users to enter a One-Time Password (OTP) generated by a hard token which was then used to access the accounts.

While hard tokens are mostly considered unphishable, this breach once again should be a reminder to organizations that a zero-trust posture, in addition to prompt and ongoing training, is a  security necessity. A team that is trained to spot possible phishing emails in addition to having an industry-leading security partner at a great advantage.  Phishing-resistant multi-factor authentication is a solution that is broadly encouraged. Assuming that traditional identity security measures are an antidote to sophisticated attacks simply isn’t working anymore - organizations have to adopt a newer and even stricter “zero trust” posture where the assumption is that attackers can pass security challenges one way or another.

Twosense has developed a first-of-its-kind Continuous Multi-factor Authentication that is phishing-resistant by design. Built on zero-trust principles, Twosense MFA solution allows for continuous identity verification without requiring a mobile device or any additional OTP hardware. Passive biometrics are used to automate the authentication of users, ensuring that there are no passwords or OTPs that can be stolen in the event of an attack. Automating the MFA challenge-response with behavioral biometrics also provides the additional benefit that things human error may have missed will be caught.

Deploying phishing-resistant MFA enables organizations to recognize the moment an account has been compromised, giving them the ability to respond immediately in the event of an attack. In a scenario similar to that of Dropbox, if the attacker did not have the Twosense agent, their authentication would have gone no further.  If the attacker were using an RDP to access the compromised user’s machine, then a behavioral mismatch would have been identified, and action could have been taken immediately. 

Phishing campaigns show no sign of slowing down, and proactive preparation is one of the best ways to prevent a data breach. To see how Twosense Continuous MFA can help your organization become phishing-resistant, schedule your one-on-one demo with our team here.

More from the Blog

January 18, 2022

2FA Phishing Toolkits Are Easier To Find Than Ever

As 2FA increases in popularity as the default security feature for most organizations, websites, and applications, so...
October 19, 2022

Making CCaaS Phishing-Resistant With Biometric MFA

In 2021, the Contact Center as a Service market was valued at $4.18 billion. Today that number is approaching $4.87...
April 18, 2022

Prompt Bombing MFA

As multi-factor authentication continues to be prioritized for security, evolving ways of bypassing MFA are born....

Sign Up for our Blog

We will never share your email address with third parties.