OneDrive for Business accounts used to spread malware
Malware purveyors have been making use of cloud services for some time, sending cloud-storage links that host malware to victims is an efficient way for cyber criminals to operate.
In a new twist to the technique, Forcepoint Security Labs has discovered that cybercriminals have been utilizing compromised Microsoft OneDrive for Business accounts to host malware since at least August of this year.
Criminals are exploiting the 'MySite' feature which allows work-related files to be uploaded and shared, even with external parties. Download links are sent to prospective victims as part of social engineering mass-mailing campaigns.
The links lead to a download prompt, either for an executable file or an archive file containing a JavaScript downloader. Currently Forecepoint is seeing multiple malware families being distributed using this method including Dridex and Ursnif. Where a downloader is used it sometimes further mixes things up by downloading from a different OneDrive account.
The emails have mainly been targeting users in Australia (55 percent) and the UK (40 percent), using subjects including, 'Please DocuSign these documents', and 'Request for ASIC correspondence reprint'. Since the MySite links contain the name of the compromised user it's likely that recipients will trust it, this in turn could lead to damaged business reputations.
"The abuse of online cloud storage services are a cost effective and highly disposable approach for cybercriminals to spread malware," says Forepoint researcher Rolan Dela Paz writing on the company's blog. "However, as this tactic already known to many people nowadays, cybercriminals may be looking for alternative ways to keep their social engineering ploys effective. The abuse of Microsoft OneDrive for Business service may aid them in this case. Since it is a paid service for businesses, malicious download links hosted by the platform adds a layer of 'trust' to prospective victims to inadvertently downloading malware".
You can find out more about the attacks and how they work on the Forcepoint website.
Photo Credit: Balefire / Shutterstock