Australians main target of OneDrive malware campaign

Australians are the main target of a new malware campaign involving compromised Microsoft 365 OneDrive for Business accounts, research from Forcepoint Security shows.

The security company has identified an attack method involving compromising the personal URLs assigned to each registered employee of the Microsoft cloud storage service, known as MySite, and using the compromised accounts to spread malware.

Generated download links are then included in mass-mailing campaigns, which are being used to further distribute malware. Multiple malware families are being distributed using this method, Forcepoint said, including Dridex and Ursnif.

The resulting malicious link includes the domain name of the compromised business, lending legitimacy to the malware campaign. This also presents strong potential for reputational risk for affected companies.

Around 55% of the emails sent using this method were sent to Australian recipients, with 40% from the UK, Forcepoint said.

In addition, one of the seven most frequent subject lines for emails containing malicious OneDrive for Business links was customised for Australia, as it involves a “request for ASIC correspondence reprint”.

It is currently unknown how OneDrive for Business accounts are being compromised, Forcepoint said. But hacked accounts present a security risk for the affected business as it means attackers may also have access to other business assets or contacts.

Image courtesy Microsoft.