Cybersecurity experts have found a new phishing attack that steals Office 365 credentials and installs malware, putting many organizations at risk.
The attack, discovered by Cofense Phishing Defense Center, uses fake file deletion reminders to trick users into clicking on what looks like a trusted file-sharing email.
When users click on the document link, they are taken to a real files.fm page, which makes the email look more legitimate. However, this is where the attack begins.
Opening the shared PDF file triggers one of two actions: either a phishing page appears to steal Office 365 credentials, or malware is downloaded onto the victim’s device.
Phishing for Office 365 Credentials
When victims click the “Preview” link, they’re taken to a fake Microsoft login page that asks for their credentials. While it looks real, signs like a suspicious URL and unusual login requests give away the phishing attempt.
If the “Download” link is clicked instead, it downloads a file called SecuredOneDrive.ClientSetup.exe.
This file pretends to be a OneDrive installer but actually installs ConnectWise RAT—a remote access trojan that misuses the real ConnectWise Control tool to give attackers full access and move across the network
Upon execution, the malware installs as a system service, ensuring persistence by modifying the Windows registry and connecting to command and control servers for remote management.
Technical analysis shows:
- Execution: The malware uses processes named ScreenConnect.ClientService.exe and ScreenConnect.WindowsClient.exe, which are part of ConnectWise’s software, but exploited here.
- Remote Connection: The malware connects to a legitimate ConnectWise IP, while actual control is done through a different command and control server, showing a complex evasion strategy.
This attack highlights the need for user awareness and cybersecurity education. Organizations should:
- Teach employees how to spot suspicious emails, especially those with unexpected requests or strange sender addresses.
- Use tools like Cofense Managed Phishing Detection and Response (MPDR) to strengthen defenses.
This attack demonstrates the growing complexity of cyber threats and the need for both human vigilance and tech-based defenses to secure digital systems.
IOCs
Infected IPs
172[.]67[.]75[.]107
104[.]26[.]0[.]31
104[.]26[.]1[.]31
hXXps://www[.]files[.]fm/u/jv2stwauw7
Malicious files:
File Name: Mash_Media_Group_Ltd_-S8927302.pdf
MD5: d3ed45f0dfadc24c76245b036b3b9738
SHA256: 2e9fb32df9b7e36c32a6348f201655f3cc6e1843d4fbcd93174743ec64897e70
File Size: 171940 bytes (167K)
File Name: SecuredOnedrive.ClientSetup.exe
MD5: 8a17521918bc248d3ef11de3ba36926f
SHA256: aae6ae55eba4ca78041c35694a65ac08a8e6ed54eb377398e93d6a985d7b1cc7
File Size: 5647048 bytes (5M)
File Name: ScreenConnect.WindowsClient.exe
MD5: b9cd7bc4f514e595561509de2177e457
SHA256: ec1c7f33fd871b544a2992c0af60cde0ffcc829e7bf73baad6470f4225761ef2
File Size: 25159161 bytes (23M)
File Name: ScreenConnect.ClientService.exe
MD5: 495c7845de1d5bd46884ef03d66d4447
SHA256: 06df948c816fc30e69d3ea30733d0d11989c9bfd68f3d3919ceef3f8410ea1bb
File Size: 25159161 bytes (23M)
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment