How Not to Fall for the OneDrive Phishing Scam
Cybersecurity researchers have identified a new phishing campaign targeting Microsoft OneDrive users. This campaign aims to execute a malicious PowerShell script, compromising users' systems. Trellix security researcher Rafael Pena shared insights on this threat, which the cybersecurity company is tracking under the name OneDrive Pastejacking.
Table of Contents
Social Engineering at Its Core
The OneDrive Pastejacking campaign heavily relies on social engineering tactics. Users receive an email containing an HTML file that mimics an OneDrive error page. The error message suggests that the user needs to update the DNS cache manually to resolve the issue.
Upon opening the HTML file, users are presented with two options: "How to fix" and "Details." While the "Details" option directs users to a legitimate Microsoft Learn page on Troubleshooting DNS, the "How to fix" option leads them through a series of steps. These steps include opening the PowerShell terminal and pasting a Base64-encoded command.
Malicious Command Execution
The command first runs ipconfig /flushdns, then creates a folder named "downloads" on the C: drive. It proceeds to download an archive file, extract its contents (script.a3x and AutoIt3.exe), and execute script.a3x using AutoIt3.exe.
Global Reach
This campaign has been observed targeting users in multiple countries, including the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K. Similar findings from ReliaQuest, Proofpoint, and McAfee Labs indicate that such phishing attacks are becoming increasingly prevalent.
Evolving Phishing Techniques
The discovery of this campaign comes alongside another email-based social engineering attack distributing bogus Windows shortcut files. These lead to malicious payloads hosted on Discord's Content Delivery Network (CDN). Additionally, phishing campaigns are increasingly sending emails with links to Microsoft Office Forms to harvest Microsoft 365 login credentials.
Deceptive Forms and Invoice Lures
Attackers create legitimate-looking forms on Microsoft Office Forms, embedding malicious links and sending them en-masse via email. These emails appear to be legitimate requests, such as changing passwords or accessing important documents. Other phishing campaigns use invoice-themed lures, tricking victims into sharing credentials on pages hosted on Cloudflare R2, with data exfiltrated via a Telegram bot.
Bypassing Secure Email Gateways
Adversaries continuously seek ways to bypass Secure Email Gateways (SEGs). A recent Cofense report highlights how attackers abuse SEG scanning of ZIP archive attachments to deliver the Formbook information stealer via DBatLoader. This involves disguising HTML payloads as MPEG files, which many archive extractors and SEGs misinterpret, allowing the malicious files to evade detection.
The evolving tactics of phishing campaigns underscore the importance of vigilance and advanced security measures. Users should be wary of unexpected emails and thoroughly verify the authenticity of any instructions before executing commands or providing sensitive information.
