Cybersecurity researchers are warning about a new phishing campaign targeting Microsoft OneDrive users with the goal of running malicious PowerShell scripts.
“This attack relies heavily on social engineering tactics to trick users into running PowerShell scripts, compromising their systems,” Trellix security researcher Rafael Pena said in an analysis on Monday.
Cybersecurity companies are tracking a “sophisticated” phishing and downloader campaign under the name “OneDrive Pastejacking.”
The attack is delivered via email containing an HTML file that, when opened, displays an image simulating a OneDrive page and displays the error message “Failed to connect to ‘OneDrive’ cloud service. To fix the error, you must manually update your DNS cache.”
The message also contains two options: “How to fix” and “Learn more,” the latter of which directs the email recipient to a legitimate Microsoft Learn page on troubleshooting DNS.
However, upon clicking “How to fix,” users are prompted to follow a series of steps, including pressing “Windows key + X” to open the quick links menu, launching a PowerShell terminal, and pasting a Base64 encoded command to fix the issue.
“The command first runs ipconfig /flushdns, then creates a folder named ‘downloads’ on the C: drive,” Pena explains. “It then downloads an archive file to this location, renames and extracts its contents (‘script.a3x’ and ‘AutoIt3.exe’), and runs script.a3x using AutoIt3.exe.”
The campaign has been observed targeting users in the United States, South Korea, Germany, India, Ireland, Italy, Norway and the United Kingdom.
The revelation builds on similar findings from ReliaQuest, Proofpoint and McAfee Labs, and indicates that phishing attacks using this technique, also tracked as ClickFix, are becoming increasingly prevalent.
This development comes amid the discovery of a new email-based social engineering campaign distributing fake Windows shortcut files that lead to the execution of malicious payloads hosted on Discord’s content delivery network (CDN) infrastructure.
We are also seeing an increasing number of phishing campaigns, including Microsoft Office forms submitted from previously compromised, legitimate email accounts, enticing targets to click on a seemingly innocuous link and divulge their Microsoft 365 login credentials.
“Attackers disguise legitimate forms on Microsoft Office Forms and embed malicious links within the forms,” Perception Point said. “These forms are then mass-sent to targets via email, mimicking trusted platforms and brands such as Adobe or Microsoft SharePoint document viewer, and posing as legitimate requests such as changing a password or accessing important documents.”
Additionally, other attack waves have used invoice-themed lures to trick victims into sharing their credentials on a phishing page hosted on Cloudflare R2, which then leaks them to threat actors via a Telegram bot.
It’s no surprise that attackers are constantly looking for different ways to smuggle malware past Secure Mail Gateways (SEGs) to increase the success of their attacks.
According to a recent report from Cofense, malicious actors are exploiting the way SEG scans ZIP archive attachments to deliver the Formbook information stealer via DBatLoader (also known as ModiLoader and NatsoLoader).
Specifically, it disguises its HTML payload as an MPEG file to evade detection, taking advantage of the fact that many common archive extractors and SEGs parse file header information, but ignore the file footer, which may contain more precise information about the file format.
“The threat actors leveraged .ZIP archive attachments, and when SEG scanned the file contents, it detected that the archive contained .MPEG video files, which were not blocked or filtered,” the company noted.
“When this attachment is opened in a common archive extraction tool such as 7-Zip or Power ISO, it appears to also contain an .MPEG video file, but it will not play. However, if the archive is opened in an Outlook client or Windows Explorer Archive Manager, the .MPEG file is (correctly) detected as an .HTML (file).”
