VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware


The VEILDrive threat campaign leverages legitimate Microsoft services—Teams, SharePoint, Quick Assist, and OneDrive—to distribute spear-phishing attacks, store malware, and establish command-and-control (C2) channels, complicating detection by traditional monitoring systems. Discovered by Hunters in September 2024, the campaign targeted a U.S. critical infrastructure organization ("Org C") by using compromised accounts from other organizations (Org A and Org B) to impersonate IT personnel, send Teams messages, and request remote access via Quick Assist. The attackers distributed malware, including a Java-based component that connects to OneDrive using hard-coded credentials for C2 operations via Microsoft Graph API, with a fallback to an Azure VM for PowerShell command execution. This tactic exemplifies a recent trend of abusing trusted SaaS platforms for covert operations, sidestepping traditional defenses with un-obfuscated, straightforward malware.

Read More


thumb-image

Solutions