Cybersecurity experts have identified a new phishing campaign targeting Microsoft OneDrive users, aiming to deploy a malicious PowerShell script.
“This campaign leverages social engineering tactics to trick users into executing a PowerShell script, compromising their systems,” explained Trellix security researcher Rafael Pena in a recent analysis.
The campaign, dubbed “OneDrive Pastejacking” by the cybersecurity firm, it involves a sophisticated phishing and downloader strategy. The attack begins with an email containing an HTML file that, when opened, displays a fake OneDrive page accompanied by an error message stating: “Failed to connect to the ‘OneDrive’ cloud service. To fix the error, you need to update the DNS cache manually.”
The email provides two options: “How to fix” and “Details”. While “Details” leads to a legitimate Microsoft Learn page on Troubleshooting DNS, clicking “How to fix” instructs the user to press “Windows Key + X”, open the PowerShell terminal, and paste a Base64-encoded command, purportedly to resolve the issue.
“The command starts by executing ‘ipconfig /flushdns’, then creates a directory on the C: drive named ‘downloads,'” Pena noted. “It proceeds to download an archive, rename it, extract its contents (‘script.a3x’ and ‘AutoIt3.exe’), and execute script.a3x using AutoIt3.exe.”
The campaign has been detected targeting individuals in countries including the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K.
This revelation aligns with findings from ReliaQuest, Proofpoint, and McAfee Labs, indicating a rise in phishing attacks utilizing this method, also known as ClickFix.
This discovery coincides with the identification of another email-based social engineering campaign distributing fake Windows shortcut files that execute malicious payloads hosted on Discord’s Content Delivery Network (CDN).
Image Provided by Perception Point
Phishing campaigns have increasingly employed a tactic involving emails that contain links to Microsoft Office Forms, originating from previously compromised legitimate email accounts. These emails trick targets into providing their Microsoft 365 login credentials under the pretense of restoring their Outlook messages.
“Attackers craft authentic-looking forms on Microsoft Office Forms, embedding malicious links within,” explained Perception Point. “These forms are then mass-distributed via email, masquerading as legitimate requests such as password changes or access to important documents, and often impersonate trusted platforms and brands like Adobe or Microsoft SharePoint document viewer.”
Additionally, other attack waves have used invoice-themed lures to deceive victims into entering their credentials on phishing pages hosted on Cloudflare R2. The stolen credentials are then exfiltrated to the attackers via a Telegram bot.
It is not surprising that adversaries continually seek new methods to covertly bypass Secure Email Gateways (SEGs) to enhance the effectiveness of their attacks.
A recent report from Cofense revealed that malicious actors exploit how SEGs scan ZIP archive attachments to deliver the Formbook information stealer via DBatLoader (also known as ModiLoader and NatsoLoader).
Specifically, they disguise the HTML payload as an MPEG file to avoid detection, taking advantage of the fact that many common archive extractors and SEGs inspect the file header but ignore the file footer, which may provide more accurate information about the file format.
“The threat actors used a .ZIP archive attachment, and when the SEG scanned the contents, the archive appeared to contain an .MPEG video file and was not blocked or filtered,” the company reported. “Upon opening with popular archive extraction tools like 7-Zip or Power ISO, the archive seemed to contain an .MPEG video file, which would not play. However, when opened in an Outlook client or via the Windows Explorer archive manager, the .MPEG file was correctly identified as an .HTML file.”
Source: TheHackerNews
