OneDrive Phishing Scam Deceives Users into Executing Malicious PowerShell Script

Cybersecurity researchers have identified a new phishing campaign targeting Microsoft OneDrive users, aiming to execute a malicious PowerShell script.

“This campaign extensively uses social engineering tactics to trick users into running a PowerShell script, compromising their systems,” said Trellix security researcher Rafael Pena in a recent analysis.

The cybersecurity firm has named this deceptive phishing and downloader campaign OneDrive Pastejacking.

The attack begins with an email containing an HTML file. When opened, the file displays an image mimicking a OneDrive page and shows an error message stating: “Failed to connect to the ‘OneDrive’ cloud service. To fix the error, you need to update the DNS cache manually.”

The message provides two options, “How to fix” and “Details.” The “Details” option directs the user to a legitimate Microsoft Learn page on DNS troubleshooting. However, clicking “How to fix” instructs the user to follow steps that include pressing “Windows Key + X” to open the Quick Link menu, launching the PowerShell terminal, and pasting a Base64-encoded command to supposedly resolve the issue.

“The command first runs ipconfig /flushdns, then creates a folder on the C: drive named ‘downloads,'” Pena explained. “It then downloads an archive file to this location, renames it, extracts its contents (‘script.a3x’ and ‘AutoIt3.exe’), and executes script.a3x using AutoIt3.exe.”

This campaign has targeted users in the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K.

This finding builds on similar research from ReliaQuest, Proofpoint, and McAfee Labs, showing that phishing attacks using this method, also known as ClickFix, are becoming more common.

This development coincides with the discovery of a new email-based social engineering campaign that distributes fake Windows shortcut files, leading to the execution of malicious payloads hosted on Discord’s Content Delivery Network (CDN) infrastructure.

Phishing campaigns are increasingly sending emails with links to Microsoft Office Forms from previously compromised legitimate email accounts, aiming to trick targets into revealing their Microsoft 365 login credentials under the pretense of restoring their Outlook messages.

“Attackers create forms on Microsoft Office Forms that appear legitimate, embedding malicious links within them,” said Perception Point. “These forms are then sent to targets en masse via email, disguised as legitimate requests such as password changes or accessing important documents, mimicking trusted platforms and brands like Adobe or Microsoft SharePoint document viewer.”

Additionally, other attack waves have used invoice-themed lures to deceive victims into sharing their credentials on phishing pages hosted on Cloudflare R2, which are then exfiltrated to the threat actor via a Telegram bot.

Unsurprisingly, adversaries continuously seek methods to stealthily bypass Secure Email Gateways (SEGs) to increase the success rate of their attacks.

According to a recent report from Cofense, bad actors are exploiting how SEGs scan ZIP archive attachments to deliver the Formbook information stealer via DBatLoader (aka ModiLoader and NatsoLoader).

This tactic involves disguising the HTML payload as an MPEG file to evade detection by exploiting the fact that many common archive extractors and SEGs parse the file header information but ignore the file footer, which may contain more accurate information about the file format.

“The threat actors used a .ZIP archive attachment, and when the SEG scanned the file contents, the archive was detected as containing an .MPEG video file and was not blocked or filtered,” the company noted.

“When this attachment was opened with popular archive extraction tools such as 7-Zip or PowerISO, it appeared to contain an .MPEG video file, but it would not play. However, when the archive was opened in an Outlook client or via the Windows Explorer archive manager, the .MPEG file was correctly detected as an .HTML file.”