Cybersecurity experts have uncovered a sophisticated phishing campaign that employs a double-edged tactic to compromise Office 365 credentials and deliver malware, posing significant risks to organizations worldwide.
The campaign, identified by the Cofense Phishing Defense Center (PDC), uses a file deletion reminder as a pretext to trick victims into engaging with what appears to be a legitimate email from a trusted file-sharing service.
When victims click on the hyperlinked document name, they are directed to a legitimate files.fm link, enhancing the email’s credibility. However, this is where the deception unfolds.
.png
)
.png
)
Opening the shared PDF file triggers two different attacks, offering victims a ‘choice’ of poison: either a phishing attempt for Office 365 credentials or the download of malicious software.


Phishing for Office 365 Credentials
Upon clicking the “Preview” hyperlink, victims are taken to a deceptive login page that mimics Microsoft’s own, prompting them to enter their credentials.
.webp)
.webp)
This page, while appearing trustworthy, presents telltale signs of phishing, such as an incorrect URL and an unusual request for credentials for a shared document.
Conversely, the “Download” link initiates the download of an executable file named ‘SecuredOneDrive.ClientSetup.exe.’
This file, disguised as a OneDrive installer, unleashes ConnectWise RAT (Remote Access Trojan) malware, which hijacks the legitimate ConnectWise Control tool for unauthorized access and lateral movement within the compromised networks.


Technical Analysis
Upon execution, the malware installs itself as a system service, ensuring its persistence through Windows registry modifications and connecting to command and control servers to manage the infected systems remotely.
The technical analysis reveals:
- Execution: The malware processes named ScreenConnect.ClientService.exe and ScreenConnect.WindowsClient.exe, indicative of ConnectWise’s legitimate software being exploited.
- Remote Connection: Connection to a non-malicious ConnectWise IP but control is orchestrated through a separate command and control server, showcasing a layered approach to evasion and control.
This attack underscores the critical need for user awareness and education in cybersecurity. Organizations must:
- Educate employees about recognizing suspicious emails, especially those with unexpected requests or unusual sender addresses.
- Implement solutions like Cofense Managed Phishing Detection and Response (MPDR) to enhance defenses against such sophisticated threats.
The technical sophistication of this attack highlights not just the evolving nature of cyber threats but also the importance of integrating human vigilance with technological safeguards to protect digital infrastructures.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!




