Security researchers have discovered a sophisticated attack technique that exploits Microsoft’s OneDrive application to execute malicious code without detection.
The method, known as DLL sideloading, leverages the way Windows loads library files to trick legitimate applications into running attacker-controlled software.
This technique represents a significant threat to enterprise environments where OneDrive is widely deployed across thousands of machines.
Understanding the Attack Vector
The vulnerability stems from how Windows searches for library files when an application launches.
When OneDrive.exe starts, the operating system searches for required files, such as version.dll, in multiple locations. It checks the application’s directory first before searching system directories.
Attackers exploit this predictable search order by placing a malicious version.dll in the same folder as OneDrive.exe.
When the application launches, it unknowingly loads the attacker’s code instead of the legitimate Microsoft library, allowing unauthorized execution within the trusted OneDrive process context.
This approach is particularly dangerous because the malicious code runs under the identity and permissions of OneDrive.exe, a system-level application.
Security tools often trust processes that are digitally signed by Microsoft, making this technique extremely effective at bypassing traditional endpoint detection and response systems.
The attacker’s code inherits all the elevated privileges and network access that OneDrive normally possesses.
The proof-of-concept discovered by security researchers demonstrates additional sophistication beyond basic DLL sideloading.
The malicious library uses DLL proxying, a technique that maintains compatibility with the host application.
Rather than immediately crashing when OneDrive cannot find expected functions, the malicious DLL exports the same functions as the legitimate version.dll and forwards legitimate calls to the real system library.
This keeps OneDrive running normally while the attacker’s code operates invisibly in the background.
The implementation further employs advanced API hooking using Vectored Exception Handling and memory page protection techniques.
Instead of directly modifying code in obvious ways that security products might detect, the attack intercepts function calls at the Windows API level.
When OneDrive attempts to execute the CreateWindowExW function, the hooking mechanism captures this action and redirects execution flow to attacker-controlled code.
The technique continuously re-arms itself to maintain persistence throughout the application’s runtime.
In the proof-of-concept, the attacker executes arbitrary code execution through process creation. The malicious payload waits two seconds after DLL injection, then launches a command with elevated privileges.
While the demonstration uses a simple notepad process, in real attacks, this could execute ransomware, steal credentials, deploy backdoors, or establish command-and-control connections.
The two-second delay serves as a hiding mechanism, allowing the initial OneDrive process to appear legitimate before the actual attack begins.
Organisations using OneDrive for file synchronisation and collaboration face a particular risk since the application maintains persistent elevated permissions and network connectivity.
An attacker gaining code execution within OneDrive can access synchronised files, exfiltrate sensitive documents, establish persistence on the network, and move laterally to other systems.
This technique is especially concerning in hybrid work environments where employees synchronise corporate data through OneDrive across personal and corporate devices.
Organisations should implement multiple detection layers, including monitoring for unexpected DLL files in application directories, restricting where applications can load libraries, and implementing behavioural analysis for suspicious process creation from trusted applications.
Security teams should review OneDrive deployment configurations and ensure file integrity monitoring is enabled for critical application directories.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
