6 November 2024

VEILDrive threat actors exploit Microsoft services in novel C2 campaign


VEILDrive threat actors exploit Microsoft services in novel C2 campaign

Security firm Hunters has uncovered a sophisticated phishing campaign, dubbed “VEILDrive,” which leverages multiple Microsoft services as command-and-control (C2) infrastructure. The campaign, suspected to be of Russian origin, has been active since early August 2024 and remains ongoing.

The VEILDrive campaign was first detected in September 2024 following an attack response at a US critical infrastructure entity. Researchers traced the attack to early August, revealing a complex infrastructure exploitation tactic involving Microsoft services like Teams, SharePoint, Quick Assist, OneDrive, and Azure AD. Through these platforms, the threat actors orchestrated spear-phishing attacks, hosted malicious files, and conducted C2 communications.

What sets VEILDrive apart from typical threat campaigns is its extensive use of Microsoft Software as a Service (SaaS) applications for C2 purposes.

Microsoft Teams was employed to deliver spear-phishing messages that enticed victims to download and run a remote management tool. Quick Assist codes were then sent via Teams messages to secure initial remote access.

SharePoint was used as a distribution hub where malicious files were hosted on a compromised tenant ("Org B") and shared with other organizations (“Org C”) through SharePoint links. Once downloaded, the attacker could gain remote access to the target through Quick Assist.

A unique C2 method leveraged OneDrive for remote command execution. The threat actors used OneDrive to gain capabilities like taking screenshots, uploading/downloading files, and executing commands on compromised devices.

The attackers used an Azure VM for HTTPS socket C2 communications. Additionally, they leveraged an Azure AD application to authenticate their own user accounts, gaining access to the OneDrive home folders of compromised accounts.

Those interested in the more detailed technical analysis of the threat campaign can read Hunters’ report here.


Back to the list

Latest Posts

Cyber Security Week in Review: December 6, 2024

Cyber Security Week in Review: December 6, 2024

In brief: Zero-day vulnerabilities in I-O data routers, Russian Turla hijacks C2 infrastructure of Pakistani hackers, and more.
6 December 2024
Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

The group has infiltrated the C2 infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.
5 December 2024
Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall.
5 December 2024