Threat actors are using messages sent from Dropbox to steal Microsoft user credentials in a fast-growing business email compromise (BEC) campaign. The effort evades natural language processing (NLP)-based security scans, and demonstrates the rapid evolution of these types of attacks.

Researchers at Check Point Harmony observed more than 5,000 of the attacks — in which fake login pages lead victims to a credential-harvesting site — in the first two weeks of September alone, they revealed in a recent blog post. They informed Dropbox of the campaign’s existence on Sept. 18.