Apply

Security Advisory

OneDrive File Download Phishing (email containing password to document)

Threat Level: Medium
Threat Type: PhishingAdvisory
Date: 07/13/2023

Description

The University has been receiving malicious replies to previously existing email chains from known addresses.

When an email account is compromised by malicious actors, the malicious actor replies to previously existing email conversations with links to malicious OneDrive files.  The link leads to an encrypted file download.  The file's encryption password is given in the body of the email.

Once the email is downloaded, unencrypted and run, the file installs remote access software and starts to scan the network for more targets.

Because this phishing attack comes in the form of a reply to a previously existing email conversation it can be personal and specific to the department or individual making it difficult to detect.  Phishing attacks are often only received by a single user and can often go unnoticed by the security team.

We suggest that users take extra care when receiving OneDrive links in their email and avoid any emails which contain file downloads to password encrypted files.



Example Email:

From: John Smith <KnownUser@Domain.com>
To: Regina.User@uregina.ca
Subject: Re: Previously Received Email
Contents:
Hi there,

I do think you are interested in this data. Please remember to find it in the following link.

https://onedrive.live.com/download?cid=992F9FC57989DED4&resid=992F9FC57989DED4%21105&authkey=ANlvSdNH7ZokYco

File password: BK4565

Impact

This style of phishing attack can be successful because it's often mistaken for a reply from a legitimate email thread.

To date, we beleive that our Sophos AntiVirus software has been successful in blocking the attack.  This may not be the case in the future.

Should an attack succeed, it's likely that a threat actor will gain remote access to an affected system and attempt to compromise further systems within the network.

Resolution

The email can be reported to the IT Support Centre and deleted.

If you are uncertain about the legitimacy of an email message, forward the email message as an attachment to the IT Support Centre for verification.

If you have opened an attachment, please contact the IT support Centre.

Resources

Please contact the IS Service Desk if you have any questions or require assistance:
Email Service.Desk@uregina.ca
Phone 306-585-4685
Webform https://www.uregina.ca/is/forms/ticket.html
In Person at ED 137 or Archer Library Commons

Report malicious OneDrive files to Microsoft:

https://www.microsoft.com/en-ca/concern/onedrive