VEILDrive Attack Exploits Microsoft Services for Evasion and Malware Distribution
An active threat tactic named VEILDrive has been identified leveraging lawful services from Microsoft, such as Teams, SharePoint, Quick Assist, and OneDrive, within its operational approach.
“Exploiting Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker utilized the trusted infrastructures of previously compromised organizations to spread spear-phishing attacks and warehouse malware,” a new report from Israeli cybersecurity firm Hunters revealed.
“This cloud-focused tactic enabled the threat actor to evade detection by conventional surveillance systems.”
Hunters detected this campaign in September 204 in response to a cyber incident aimed at a vital infrastructure entity in the United States. The company’s name was not disclosed, and it was referred to as “Org C.”
The activity apparently began a month earlier, with the attack culminating in the introduction of a Java-based malware that uses OneDrive for command-and-control (C2).
The adversary executing the operation purportedly sent Teams messages to four Org C employees by posing as an IT team member, seeking remote access to their systems via the Quick Assist utility.
What distinguished this initial breach method was that the attacker leveraged a user account linked to a possible prior victim (Org A) instead of creating a new account for this particular purpose.
“The Microsoft Teams messages sent to Org C’s targeted users were facilitated by Microsoft Teams’ ‘External Access‘ feature, enabling One-on-One communication with any external organization by default,” Hunters noted.
In the subsequent step, the attacker shared a SharePoint download link through the chat to a ZIP file (“Client_v8.16L.zip”) hosted on a different tenant (Org B). This ZIP file contained, among other items, a remote access tool named LiteManager.
The remote access acquired through Quick Assist was then utilized to create scheduled tasks on the system, enabling the periodic execution of the LiteManager remote monitoring and management (RMM) software.
Furthermore, a second ZIP file (“Cliento.zip”) was also downloaded using the same technique, which included the Java-based malware in the form of a Java archive (JAR) along with the entire Java Development Kit (JDK) to run it.
The malware is designed to connect to a OneDrive account controlled by the attacker using hard-coded Entra ID (previously Azure Active Directory) credentials, employing it as a C2 to retrieve and run PowerShell commands on the compromised system through the Microsoft Graph API.
Additionally, it includes a backup mechanism that initiates an HTTPS socket to a remote Azure virtual machine, which is then employed to receive and execute commands in the context of PowerShell.
This is not the first instance where the Quick Assist utility has been exploited in this manner. Earlier in May, Microsoft alerted to a financially driven cybercriminal faction known as Storm-1811 misusing Quick Assist features by posing as IT experts to gain access and deploy Black Basta ransomware.
These developments occurred shortly after the Windows creator acknowledged observing attacks exploiting legitimate file hosting services like SharePoint, OneDrive, and Dropbox to avoid detection.
“This SaaS-centric approach complicates real-time identification and circumvents traditional security measures,” Hunters emphasized. “With no obfuscation and well-organized code, this malware breaks the usual evasion-focused design trend, making it unusually legible and direct.”
About Author
