Pierluigi Paganini July 30, 2024

Researchers detected a sophisticated phishing campaign targeting Microsoft OneDrive users to trick them into executing a PowerShell script.

Over the past few weeks, the Trellix Advanced Research Center observed a sophisticated phishing campaign targeting Microsoft OneDrive users. Threat actors rely on social engineering tactics to trick users into executing a PowerShell script, which leads to their systems being compromised.

The attack chain starts by tricking the recipient into clicking a button that claims to explain how to fix a DNS issue, suggesting that resolving this issue will grant access to a desired file.

“The attack unfolds as follows: the victim receives an email containing an .html file. When this .html file is opened, it displays an image designed to create a sense of urgency about accessing the document, thereby increasing the likelihood that the user will follow the provided instructions.” reads the report published by Trellix. “The image simulates a Microsoft OneDrive page displaying a file named “Reports.pdf” and a window titled “Error 0x8004de86” with the following error message: “Failed to connect to the ‘OneDrive’ cloud service. To fix the error, you need to update the DNS cache manually.” This window features two buttons: “Details” and “How to fix.” Notably, Error 0x8004de80 is a legitimate issue that can occur when signing in to OneDrive.”

Clicking the “Details” button directs the user to a legitimate Microsoft Learn page on “Troubleshooting DNS.”

Upon clicking on the “How to fix” the recipient is instructed to follow a series of steps, which includes specific instructions to open the Quick Link menu (Windows Key + X), access the Windows PowerShell terminal, paste a command, and execute it to supposedly solve the problem.

“The command, as illustrated above, first runs ipconfig /flushdns, then creates a folder on the C: drive named “downloads.” Subsequently, it downloads an archive file into this location, renames it, extracts its contents (“script.a3x” and “AutoIt3.exe”), and executes script.a3x using AutoIt3.exe. Finally, the following message is displayed: “The operation completed successfully, please reload the page.”” continues the report.

Trellix reported that most of the users targeted by this campaign are in the U.S. (40%), South Korea (17%), Germany (14%), and India (10%).

“The global distribution of this attack highlights the need for international cooperation and intelligence sharing to effectively combat these threats.” concludes the report and also provides Indicators of compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, phishing)