Duplicate threat campaign VEILDrive was seen using legitimate Microsoft services, including Teams, SharePoint, Quick Assist and OneDrive, as part of its modus operandi.
“Using Microsoft SaaS services — including Teams, SharePoint, Quick Assist and OneDrive — the attacker used the trusted infrastructure of previously compromised organizations to spread phishing attacks and store malware,” Israeli cybersecurity firm Hunters said. said in a new report.
“This cloud-centric strategy allowed the threat actor to avoid detection by conventional monitoring systems.”
Hunters said they discovered the company in September 204 after it responded to a cyber incident targeting critical infrastructure in the United States. He did not disclose the name of the company, instead identifying it as “Org C.”
This activity is believed to have started a month ago, and the attack culminated in the deployment of Java-based malware that uses OneDrive for command and control (C2).
The threat actor behind the operation is said to have sent Teams messages to four Org C employees, posing as a member of the IT team and requesting remote access to their systems via the Quick Assist tool.
What made this original hacking method unique was that the attacker used a user account belonging to a previous potential victim (Organization A) rather than creating a new account for the purpose.
“Microsoft Teams messages received by Org C target users made possible by Microsoft Teams’ “External access“functionality that allows one-to-one communication with any external organization by default,” Hunters said.
In the next step, the threat shared via chat a SharePoint download link to a ZIP archive file (“Client_v8.16L.zip”) hosted by another tenant (Org B). The ZIP archive was embedded, among other files, by another remote access tool called LiteManager.
The remote access obtained through Quick Assist was then used to create scheduled jobs on the system for periodic execution by the LiteManager remote monitoring and management (RMM) software.
A second ZIP file (“Cliento.zip”) was also downloaded using the same method, which included the Java-based malware as a Java Archive (JAR) and the entire Java Development Kit (JDK) to execute it.
The malware is designed to connect to an adversary-controlled OneDrive account using hard-coded Entra ID (formerly Azure Active Directory) credentials, using it as a C2 to retrieve and execute PowerShell commands on the infected system using the Microsoft Graph API.
It also contains a fallback mechanism that initializes an HTTPS socket on a remote Azure virtual machine, which is then used to retrieve commands and execute them in a PowerShell context.
This is not the first time Quick Assist has been used in this way. Earlier in May Microsoft warned that a financially motivated cybercriminal group known as Storm-1811 was abusing Quick Assist features by impersonating IT professionals or technical support staff to gain access and get rid of the Black Basta ransomware.
The development also came a few weeks after the Windows manufacturer said he has observed companies abusing legitimate file hosting services such as SharePoint, OneDrive and Dropbox as means of evading detection.
“This SaaS-dependent strategy complicates real-time detection and bypasses conventional defenses,” Hunters said. “With zero obfuscation and well-structured code, this malware defies the typical evasion-oriented design trend, making it remarkably readable and simple.”
