How VEILDrive Attack Uses Microsoft Services for Stealthy Malware Distribution
deliver malware payloads and maintain long-term persistence into their targets,” detailed Brett Stone-Gross, a leading threat intelligence analyst.
Understanding VEILDrive Tactics
The campaign, which has been active since early 2020, involves a three-stage attack process.
First, the attacker sends a phishing email with a seemingly harmless link, often a document stored in OneDrive or SharePoint.
Once the target clicks on the document, a chain of redirects ensues, eventually leading to a Microsoft Teams URL.
This URL then initiates the downloading of a malicious payload via Quick Assist, a built-in Windows feature that allows remote assistance.
Exploiting Microsoft Services
The genius of the VEILDrive campaign lies in its abuse of trusted Microsoft services to hide malicious activities essentially in plain sight.
These services are typically whitelisted, meaning that they have built-in trust and are typically not filtered or scrutinized by the organization’s security perimeters.
Moreover, the use of high-jacking domains and SSL certificates associated with these trusted platforms further helps to evade any detection.
As explained by Stone-Gross, “The use of legitimate services makes the attackers’ activities blend in with normal network traffic, which can make detection very challenging.”
Practical Advice for Professionals
Cybersecurity professionals should prioritize educating staff on the threat of phishing emails and encouraging safe email practices.
Organizations should also consider reviewing and tightening their whitelisting policies and deploying robust endpoint detection and response (EDR) solutions.
Moreover, the implementation of multi-factor authentication (MFA) on all external-facing services can provide an extra layer of security.
Regularly updating and patching systems can also help prevent the exploitation of known vulnerabilities.
Technological measures aside, fostering a culture of cybersecurity awareness among staff can be a productive step in guarding against similar attacks in the future.