Hacked organizations had their infrastructure further compromised to enable stealthy spear-phishing and malware attacks through the abuse of Microsoft software-as-a-service tools, including OneDrive, SharePoint, Teams, and Quick Assist, as part of the ongoing VEILDrive attack campaign, according to The Hacker News.
Threat actors using an account from a previously targeted organization dubbed "Org A" impersonated IT staff to target employees of a U.S. critical infrastructure entity dubbed "Org C" with Teams messages seeking remote system access permissions via Quick Assist, an analysis from Hunters revealed. Targets were then lured to download a ZIP archive file hosted by another victim dubbed "Org B" that included the LiteManager remote access tool, as well as another ZIP file with Java-based malware, which facilitates PowerShell command retrieval and execution. "This SaaS-dependent strategy complicates real-time detection and bypasses conventional defenses. With zero obfuscation and well-structured code, this malware defies the typical trend of evasion-focused design, making it unusually readable and straightforward," said Hunters researchers.
