Skip to main content

Cybercriminals use OneDrive for Business to spread malware

Forcepoint Security Labs has revealed that cybercriminals have been using Microsoft's OneDrive for Business cloud storage locker as a means of hosting and spreading malware.

According to the company, cybercriminals have been using Microsoft's cloud services to trick users into downloading malware since August of this year. In order to spread malware, the attackers have used compromised OneDrive accounts and MySite links to target unsuspecting users via links inside emails.

If a user clicks on one of the links, an infected archive file or executable file will be downloaded on to their system. To make matters worse, the cybercriminals behind these attacks are spreading the links through major email campaigns which allows them to target as many users as possible in a short span of time.

Forcepoint provided a sample of the scam used in the attacks that utilised an invoice linked in a OneDrive for Business account. The victim is tempted into opening the link in order to receive their payment, which is why the unpaid invoice trick is so effective. By using OneDrive for Business, the cybercriminals hope to make their links appear more legitimate to their would-be victims. Seeing as genuine OneDrive accounts have been compromised, these attacks have a much higher success rate.

As of now, the scam is primarily focused on users in Australia and the UK. Australian users have received 55 per cent of the scam emails while British users have received 40 per cent. This scam serves as a constant reminder to always be hesitant about opening any link that appears in an email.

Senior security researcher at Forcepoint, Roland Dela Paz warned both employees and businesses of the threat that this scam presents, saying: “While it is unknown how OneDrive for business accounts are being compromised, it entails additional risk not only for the compromised user but also for the affected business as it means that the attackers may also have access to other business assets and contacts.

“In addition, the URL format of OneDrive for Business download links contain the business domain name of a compromised user. This can consequently tarnish the reputation of a business.”

Image Credit: IB Photography / Shutterstock

Anthony Spadafora
After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal.