Hackers have updated an old “phishing with errors” tactic to trick victims into downloading harmful software onto their computers. Cybersecurity experts from the Trellix Advanced Research Center recently identified a new campaign targeting Microsoft OneDrive users.
In this scam, victims receive an email with a .HTML file attachment, typically named “Reports.pdf,” making it appear as an important work document. When opened, a window resembling Microsoft OneDrive appears, displaying an error message that claims the device couldn’t connect and requires manual intervention.
Table of Contents
Social Engineering Tactics
The error message states, “Failed to connect to the ‘OneDrive‘ cloud service. To fix the error, you need to update the DNS cache manually.” The window includes two buttons: “Details” and “How to fix.” Clicking the “Details” button directs victims to a legitimate Microsoft Learn page about troubleshooting DNS issues.
However, the “how to fix” button triggers a function call GD with a .js script embedded in the .HTML file and loads further instructions for the victim to follow.
“This campaign relies heavily on social engineering tactics to deceive users into running a PowerShell script, compromising their systems,” the researchers noted. “The combination of technical language and urgent error messages is a common tactic used to manipulate users’ emotions and prompt quick actions without careful thought.”
The scam prompts users to open the Windows PowerShell terminal and execute a malicious command. Most victims are reportedly located in the US, South Korea, Germany, India, Ireland, Italy, Norway, and the UK.