Microsoft OneDrive users in the U.S., South Korea, India, Germany, Ireland, Norway, Italy, and the UK, have been lured to run a malicious PowerShell script compromising their systems as part of the OneDrive Pastejacking phishing and downloader attack campaign, The Hacker News reports.
Intrusions commence with the delivery of phishing emails with an HTML file, which when clicked prompts a OneDrive connection failure notice that includes "How to fix" and "Details" options, according to a Trellix analysis. Targets clicking "How to fix" would be prompted to perform several procedures that result in the execution of ipconfig /flushdns and the creation of a 'downloads' folder on the C drive, where an archive file would be downloaded. Such an archive file would then be renamed and have its contents extracted before script execution, said Trellix security researcher Rafael Pena. Proofpoint, ReliaQuest, and McAfee previously reported similar phishing campaigns leveraging the ClickFix attack technique.
