An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. "Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to distribute spear-phishing attacks and store malware," Israeli cybersecurity company Hunters said in a new report. "This cloud-centric strategy allowed the threat actor to avoid detection by conventional monitoring systems." Hunters said it discovered the campaign in September 204 after it responded to a cyber incident targeting a critical infrastructure organization in the United States. It did not disclose the name of the company, instead giving it the designation "Org C." The activity is believed to have commenced a month prior, with the attack culminating in the deployment of a Java-based malware that employs OneDrive for command-and-control (C2). The threat actor behind the operation is said to have sent Teams messages to four employees of Org C by impersonating an IT team member and requesting remote access to their systems via the Quick Assist tool. What made this initial compromise method stand out is that the attacker utilized a user account belonging to a potential prior victim (Org A), rather than creating a new account for this purpose. "The Microsoft Teams messages…Read More
