Summary: A sophisticated phishing campaign targeting Microsoft OneDrive users has been observed, utilizing social engineering tactics to compromise systems through a malicious PowerShell script. The attack involves deceiving users into believing they need to resolve a DNS issue to access important files, leading them to execute harmful commands.
Threat Actor: Unknown | unknown
Victim: Microsoft OneDrive users | Microsoft OneDrive users
Key Point :
- The phishing attack begins with an email containing an .html file that simulates a Microsoft OneDrive error message.
- Victims are tricked into executing a PowerShell command that downloads and runs malicious scripts, compromising their systems.
- The campaign has primarily targeted users in the U.S., South Korea, Germany, and India, emphasizing the need for global cooperation in cybersecurity efforts.
Over the past few weeks, the Trellix Advanced Research Center observed a sophisticated phishing campaign targeting Microsoft OneDrive users. Threat actors rely on social engineering tactics to trick users into executing a PowerShell script, which leads to their systems being compromised.
The attack chain starts by tricking the recipient into clicking a button that claims to explain how to fix a DNS issue, suggesting that resolving this issue will grant access to a desired file.
“The attack unfolds as follows: the victim receives an email containing an .html file. When this .html file is opened, it displays an image designed to create a sense of urgency about accessing the document, thereby increasing the likelihood that the user will follow the provided instructions.” reads the report published by Trellix. “The image simulates a Microsoft OneDrive page displaying a file named “Reports.pdf” and a window titled “Error 0x8004de86” with the following error message: “Failed to connect to the ‘OneDrive’ cloud service. To fix the error, you need to update the DNS cache manually.” This window features two buttons: “Details” and “How to fix.” Notably, Error 0x8004de80 is a legitimate issue that can occur when signing in to OneDrive.”
Clicking the “Details” button directs the user to a legitimate Microsoft Learn page on “Troubleshooting DNS.”
Upon clicking on the “How to fix” the recipient is instructed to follow a series of steps, which includes specific instructions to open the Quick Link menu (Windows Key + X), access the Windows PowerShell terminal, paste a command, and execute it to supposedly solve the problem.
“The command, as illustrated above, first runs ipconfig /flushdns, then creates a folder on the C: drive named “downloads.” Subsequently, it downloads an archive file into this location, renames it, extracts its contents (“script.a3x” and “AutoIt3.exe”), and executes script.a3x using AutoIt3.exe. Finally, the following message is displayed: “The operation completed successfully, please reload the page.”” continues the report.
Trellix reported that most of the users targeted by this campaign are in the U.S. (40%), South Korea (17%), Germany (14%), and India (10%).
“The global distribution of this attack highlights the need for international cooperation and intelligence sharing to effectively combat these threats.” concludes the report and also provides Indicators of compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, phishing)
Source: https://securityaffairs.com/166312/hacking/microsoft-onedrive-phishing.html