In a recent alarming development, cybercriminals have deployed a sophisticated dual-phased attack targeting Office 365 (O365) credentials and distributing malware.
Identified by the Cofense Phishing Defense Center (PDC), this campaign uses a clever combination of phishing techniques and malware delivery to compromise user systems.
By exploiting the trustworthiness of legitimate file-sharing services, the attackers aim to deceive users into lowering their guard.
Exploiting Familiar File-Sharing Platforms
The attack begins with an email crafted to appear as a file deletion notification originating from a reputable cloud storage service, files.fm.
The email lures recipients into clicking a hyperlink under the guise of protecting their files, redirecting them to an authentic files.fm link.
Once there, users are encouraged to download a PDF file that appears harmless but is, in fact, the gateway to the attack.
Upon opening the PDF, recipients are presented with two deceptive hyperlinks labeled “Preview” and “Download,” both of which lead to malicious outcomes.
According to the Report, this dual-choice mechanism increases the attack’s efficacy, preying on users’ instincts to act quickly without scrutinizing the links.
Credential Theft via Fake Microsoft Login Pages
Clicking on the “Preview” link redirects users to a counterfeit Microsoft login page, which mimics the appearance of an official login portal.
.webp)
The page’s setup is specifically designed to harvest Office 365 credentials, leveraging Microsoft’s branding to establish a veneer of trust.
Subtle but critical red flags, such as an unusual URL or an unsolicited request to re-enter login details, serve as indicators of the phishing scheme.
Users who fail to notice these discrepancies inadvertently provide their credentials to attackers.
The second hyperlink, “Download,” initiates the download of a file named SecuredOneDrive.ClientSetup.exe, disguised as a legitimate OneDrive client installer.
However, this executable file contains the ConnectWise Remote Access Trojan (RAT), a malicious exploitation of ConnectWise Control a legitimate remote administration tool.
Upon execution, the malware installs and runs processes such as ScreenConnect.ClientService.exe and ScreenConnect.WindowsClient.exe.
These processes connect to a remote command-and-control (C2) server, enabling attackers to execute commands, exfiltrate data, and maintain access to the compromised system.
The infection chain reveals a meticulous and multilayered approach. Using legitimate infrastructure to host malicious payloads, as seen with files.fm links and ConnectWise services, enhances the campaign’s credibility.
The malware achieves persistence through multiple techniques, including:
- Service Creation: The malware establishes itself as a system service, ensuring it restarts with every system boot.
- Registry Modifications: It alters critical registry settings under HKEY_LOCAL_MACHINE, ensuring automatic execution upon startup.
These techniques make the malware resilient against manual removal or antivirus interference, thereby embedding itself deeply within the victim’s system.
The bifurcated approach of this attack underscores the importance of vigilance in email communications.
Awareness is critical users must scrutinize unexpected email requests, even if they appear to be from trusted sources.
Organizations can bolster defenses by implementing robust security awareness training programs and leveraging tools like Cofense Managed Phishing Detection and Response (MPDR).
Additionally, administrative controls such as restricting executable file downloads, deploying endpoint detection and response (EDR) solutions, and monitoring anomalous behaviors can help mitigate risks.
Regularly validating URLs and avoiding interactions with unsolicited email attachments can also reduce the likelihood of falling victim to such schemes.
This cyberattack highlights the growing sophistication of phishing campaigns and malware delivery mechanisms.
By exploiting trust in legitimate services and adopting a multi-pronged strategy, threat actors continue to pose significant risks to individuals and organizations alike.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
