Beware: Microsoft OneDrive Security Alert May Actually Be a Malware Scam
Hackers are putting a modern twist on the old scam method of ‘bug phishing’ in an attempt to trick victims into downloading dangerous malware onto their PCs.
Cybersecurity researchers at the Trellix Advanced Research Center have revealed how they recently saw a new campaign targeting Microsoft OneDrive users.
In the campaign, victims are sent an email address with an attachment of an .HTML file, usually named “Reports.pdf,” in an attempt to trick the victim into thinking it is an important, work-related document. When victims open it, they are presented with a window resembling Microsoft OneDrive, with an error message stating that the device could not connect and that the error must be resolved manually.
Social Engineering Tactics
“Cannot connect to the ‘OneDrive’ cloud service. To fix the error, you must manually update the DNS cache.” the message reads. The window also contains two buttons: “Details” and “How to fix.” Clicking the “Details” button redirects victims to a legitimate page on Microsoft Learn that discusses troubleshooting DNS issues.
However, the “how to fix” button triggers a GD function call, with a .js script embedded in the .HTML file. It also loads secondary instructions that victims need to follow.
“This campaign relies heavily on social engineering tactics to trick users into running a PowerShell script, compromising their systems,” the researchers explain. “This combination of technical jargon and urgent error messages is a classic social engineering tactic, designed to manipulate the user’s emotions and induce hasty action without careful consideration.”
This “rush action” involves launching the Windows PowerShell terminal and then pasting and executing a malicious command. Most victims appear to be located in the US, South Korea, Germany, India, Ireland, Italy, Norway, and the UK.
Since the death of the macro, cybercriminals have been looking for working alternatives to sharing malware via email.