Product, Service, Component: Autodesk Drive
Impact: Shared Phishing Links
Original Publish: 4/30/2024
| Severity | CVSS Score | Impact |
|---|---|---|
| Low | 0.1 - 3.9 | A vulnerability where scope and impact of exploitation is restricted and the ability to exploit is extremely difficult. |
| Medium | 4.0 - 6.9 | A vulnerability where exploitation is mitigated by factors such as difficulty to exploit, default configuration or ease of identification. |
| High | 7.0 - 8.9 | A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user's data or processing resources. |
| Critical | 9.0 - 10 | A vulnerability, which if exploited, would allow remote execution of malicious code without user action. |
In March, Autodesk was made aware of an incident where an external user published documents to Autodesk Drive containing links to a phishing web site. Our Cyber Threat Management & Response Team immediately responded to this incident, and the malicious files are no longer being hosted on Autodesk Drive. No customers have reported being impacted by this incident.
A common security attack is to embed malicious links in documents to propagate phishing campaigns, fraud and scams. Autodesk Drive is a cloud storage solution that allows individuals and small teams to organize, preview, and share design and model data within various file types, including PDFs. A recent phishing campaign involved both Autodesk Drive and Microsoft OneDrive where hackers uploaded PDF documents containing links to a phishing web site, where recipients were instructed to input their Microsoft credentials.
In addition to continually monitoring our services for malicious use, Autodesk provides security controls within our products to help customers lower their susceptibility to phishing attempts like these. To reduce the risk of a phishing attempt, please make sure you follow the recommendations below:
Please be cautious when enabling public link sharing. Public link sharing in Autodesk Docs is turned off by default. This means file sharing recipients must be authorized to use Autodesk Docs and be logged into view the document.
Use Autodesk’s 2-step verification setting for your accounts to reduce the risk of an attacker accessing your Autodesk account.
We also recommend employing the following best practices to identify and report suspected malicious links and files:
When receiving an email with an embedded link or attached file, employ healthy skepticism:
Is the email address and/or username familiar? Do you know the user?
Were you expecting to receive a shared file from this user?
If the answer is no, avoid clicking links within the email or opening file attachments.
Does the email convey a sense of urgency or use threats? Phishing emails often use urgent language or threats to create a sense of panic.
Is the sender requesting personal or sensitive information? A legitimate sender should never ask for sensitive information like credit card numbers, insurance or Social Security numbers via email. Be wary of any email requesting such information.
If you receive a suspicious link, report it to the Autodesk Incident Response Team via this contact form. Include a description of how you received the link and the full URL of the link.
You can also contact us with other inquiries here. If we find any violation of Autodesk Acceptable Use Policy, such as phishing, malware, or spam, we will take immediate action.
We are committed to continuous improvement of our security scanning capabilities to prevent bad actors from misusing our cloud services to host malicious content or any other violation of Autodesk policies.
INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.
