Compromised Microsoft OneDrive for Business accounts used to spread malware

Back in 2012, we saw the first malware abuse to cloud-storage services in the form of an information-stealing trojan. The trojan collected Microsoft Word and Excel files from affected PCs, archived them, and then uploaded the archive to the file hosting website, SendSpace, so that it can be later accessed by the cybercriminals behind it. Fast forward to today, and the same abuse has become a de facto standard for many cybercriminals, perhaps primarily for spreading malware. Free cloud-storage services are used to host malware where the generated download links are sent to prospective victims as part of social engineering lure.

In a recent shift in this tactic, Forcepoint Security Labs™ have observed that cybercriminals have started to utilize compromised OneDrive for Business accounts for hosting malware since at least August of this year. One Drive for Business is a paid Microsoft service for businesses where employees can store and share files. Each registered employee has a personal URL called "MySite" where work-related files can be uploaded and shared, even to external parties. The following shows the format of a MySite URL:

https://{business domain name}-my.sharepoint.com/personal/{employee user name}_{business domain name}/

These employee MySite accounts are being compromised and used to upload malware. The generated download links are then included in mass-mailing campaigns. Below is an example of a malicious email containing a OneDrive for Business' MySite download link:

Clicking the link then leads to a download prompt. As of this writing, we are seeing multiple malware families that are being distributed using this method including Dridex and Ursnif. 

The hosted malware is either an executable file or an archive file containing a JavaScript downloader. In some cases, the JavaScript downloader downloaded malware from another OneDrive for Business link.

Based on our telemetry, below are the top 7 email subjects containing malicious OneDrive for Business links for the past 90 days:

The above emails were predominantly sent to recipients from Australia, followed by the United Kingdom:

The following chart shows the monthly hit counts for these emails for the past 90 days:

Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 2 (Lure) - Malicious e-mails are identified and blocked
Stage 5 (Dropper File) - Malicious payloads are prevented from being downloaded to the target machine.
Stage 6 (Call Home) - Communication between the downloaded malware and command and control are blocked.

Conclusion

The abuse of online cloud storage services are a cost effective and highly disposable approach for cybercriminals to spread malware. However, as this tactic already known to many people nowadays, cybercriminals may be looking for alternative ways to keep their social engineering ploys effective. The abuse of Microsoft OneDrive for Business service may aid them in this case. Since it is a known service for businesses, malicious download links hosted by such platform adds a layer of "trust" to prospective victims when downloading an unknown file.

While it is unknown how OneDrive for Business accounts are being compromised, it entails additional risk not only for the compromised user but also for the affected business as it means that the attackers may also have access to other business assets and contacts. In addition, as explained above, the URL format of OneDrive for Business download links contain the business domain name of a compromised user. This can consequently tarnish the reputation of a business.

Businesses that utilize third-party business solutions such as OneDrive for Business are advised to put additional focus on the security of the related user accounts to prevent such risks. Equally, users should be vigilant when downloading files from OneDrive for Business (Sharepoint) links coming from an unsolicited email.