A sophisticated phishing campaign targeting Microsoft OneDrive users has been uncovered by security researchers [1] [3], utilizing advanced social engineering tactics to compromise systems.
Description
The attack begins with an email containing an HTML file that prompts users to resolve a DNS issue to access a OneDrive file [2]. Users are then led to click a button that claims to fix the DNS issue, granting access to the file [3]. This technique [3], known as “pastejacking,” involves copying and pasting a malicious PowerShell script using the clipboard. Upon opening the file [2], users are shown an image simulating a OneDrive page with an error message and two buttons [2]. Clicking one of the buttons executes a JavaScript function that guides users to run a specific command in the Windows PowerShell terminal [2], downloading an archive file [2], extracting its contents [2], and running a script [2]. The attackers manipulate users into executing the malicious script by decoding Base64 encoded strings and copying commands to the clipboard [2]. The majority of targeted users are in the US [1], South Korea [1], Germany [1], and India [1], highlighting the need for international cooperation to combat such threats [1].
Conclusion
This campaign underscores the constant risk of social engineering in cybersecurity and the importance of educating employees and reinforcing security measures within enterprises [2]. It is crucial for organizations to stay vigilant and implement robust security protocols to defend against such attacks in the future.
References
[1] https://sempreupdate.com.br/linux/malwares/campanha-de-phishing-e-direcionada-a-usuarios-do-microsoft-onedrive/
[2] https://www.infosecurity-magazine.com/news/phishing-campaign-targets/
[3] https://www.waterisac.org/portal/threat-awareness-%E2%80%93-another-powershell-%E2%80%9Cfix%E2%80%9D-compromise-clipboard