The Trellix Advanced Research Center has discovered a sophisticated phishing campaign that specifically targets OneDrive users.
In this campaign, users receive an email that contains a .html (web page type) file. When that file is opened, the user will see something like the image below, which simulates a Microsoft OneDrive page with an error message.
The blue fake error message pop-up will say that there is a DNS issue with the user’s OneDrive. And the error display has two buttons. The “Details” button will actually take users to the real Microsoft web page for troubleshooting a DNS issue. But if a user clicks on the “How To Fix” button, it will launch a JavaScript program embedded within the HTML file. That JavaScript will display additional misleading instructions for the user. If followed, the result will be unknowingly downloading malware onto the user’s computer.
This particular attack uses misleading visual elements and a sense of urgency as its attack vector. For additional information, please see the full article at: https://www.trellix.com/blogs/research/onedrive-pastejacking/
