Tricky OneDrive Phishing Campaign Tricks Users To Execute PowerShell Script

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A sophisticated phishing campaign targets Microsoft OneDrive users, employing social engineering to trick victims into executing malicious PowerShell scripts. 

The attack leverages a false sense of urgency by claiming a DNS issue prevents file access, enticing users to click a button that triggers PowerShell script execution and compromising affected systems. 

An attack commences with a malicious .html file delivered via email. Upon execution, the file displays a fraudulent OneDrive page simulating an error message. 

The error message, designed to induce urgency and panic, aims to manipulate users into manually updating their DNS cache, likely redirecting them to a compromised site or initiating a malware download. 

Utilizing a valid error code, this attack method increases credibility by taking advantage of the widespread usage of visual elements. 

Microsoft OneDrive page with “Error 0x8004de86”

The “Details” button on the webpage links to a legitimate Microsoft Learn DNS troubleshooting resource, while the “How to Fix” button initiates a malicious function call named “GD” within an embedded JavaScript script and displays additional misleading instructions. 

The deceptive combination of credible information and urgent prompts constitutes a social engineering attack designed to coerce users into executing harmful code. 

Actions associated with “Details” and “How to fix” buttons

The “How to Fix” button presents a user interface prompting the execution of a specific command within the Windows PowerShell terminal, which involves invoking the Quick Link menu, launching the PowerShell terminal, pasting a predetermined command, and executing it. 

The provided function, GD, likely pertains to a system component or process directly targeted by the command, suggesting a potential system-level remediation for the underlying issue. 

Function GD details

The script initially decodes a Base64-encoded string, likely a command title, using the atob() method, and then copies it to the clipboard via the execCommand method. 

A portion of the command remains Base64-encoded within the clipboard content. Decoding this final segment reveals the full command, which potentially involves network configuration changes, file downloads, and malicious script execution. 

 Decoded command

An analyzed command sequence leverages social engineering to entice users into opening malicious HTML files.

Once executed, it clears the DNS cache, downloads a concealed archive to a local directory, extracts a malicious script and its executor, and silently runs the script using AutoIt3. 

While Trellix’s detection capabilities mitigated this attack chain, it still highlighted the ongoing threat of HTML-based exploits and the value of user education in preventing successful compromise. 

By exploiting human error, attackers can infiltrate networks, exfiltrate sensitive data, and cause substantial financial and reputational harm.

It reveals the geographic distribution of systems compromised through this attack, highlighting the global nature of such threats. 

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access