A multistep phishing scheme aimed at employees that process financial documentation has been discovered by Kaspersky which says it begins when victims receive an email from the legitimate address of an auditing firm.

This initial interaction is intended to make the recipient less suspicious: like a preparatory step to ease into the main fraudulent activity.

Then a notification from the Dropbox service follows, containing malicious links to archives where cybercriminals have uploaded phishing files designed to steal credentials.

“The email appears legitimate from both a human standpoint and in terms of protection software,” explains Roman Dedenok, a security expert at Kaspersky. “It contains a plausible cover story that an official audit company has information for the recipient, complete with a disclaimer regarding sharing confidential information.

“In addition, the email contains no links or attachments and originates from an easily searchable company address, making it nearly impossible for a spam filter to detect.”

The only suspicious trait in this email is that the sender uses “Dropbox Application Secured Upload”. This service doesn’t exist. Although files uploaded to Dropbox can be password-protected, nothing more can be done.

Following this email, the perpetrators send their victims an official Dropbox notification. If the recipient is already primed to respond by the initial message there is a higher likelihood they’ll follow the link to review the document.

Clicking on the link reveals a blurred document with an authentication window on top of it. The document acts as a large button with its entire surface being a malicious link. Upon clicking, the user will see a form requesting their corporate login and password: credentials that cybercriminals seek to steal using this multistep scheme.

These attacks are considered targeted and were observed by Kaspersky in isolated instances.