![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
.png?#)
.webp?#)
![Leaker vaguely comments on under-screen camera in iPhone Fold [U]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/04/iPhone-Fold-will-have-Face-ID-embedded-in-the-display-%E2%80%93-leaker.webp?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[Fixed] Gemini app is failing to generate Audio Overviews](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/03/Gemini-Audio-Overview-cover.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Seeds tvOS 18.5 Beta 2 to Developers [Download]](https://www.iclarified.com/images/news/97011/97011/97011-640.jpg)
![Apple Releases macOS Sequoia 15.5 Beta 2 to Developers [Download]](https://www.iclarified.com/images/news/97014/97014/97014-640.jpg)
New Double-Edged Email Attack Stealing Office365 Credentials and Deliver Malware
A sophisticated cyber attack campaign has emerged, employing a dual-threat approach to simultaneously steal Microsoft Office365 credentials and deliver malware to unsuspecting victims. This hybrid attack begins with deceptive emails disguised as file deletion reminders from legitimate file-sharing services, creating a false sense of urgency that compels users to take immediate action to preserve supposedly […] The post New Double-Edged Email Attack Stealing Office365 Credentials and Deliver Malware appeared first on Cyber Security News.
A sophisticated cyber attack campaign has emerged, employing a dual-threat approach to simultaneously steal Microsoft Office365 credentials and deliver malware to unsuspecting victims.
This hybrid attack begins with deceptive emails disguised as file deletion reminders from legitimate file-sharing services, creating a false sense of urgency that compels users to take immediate action to preserve supposedly important documents.
.webp)
The attack cleverly exploits user trust by leveraging files.fm, a legitimate cloud storage platform, as its initial delivery mechanism.
Recipients receive warnings about impending file deletions with subject lines referencing business documents, prompting them to click on hyperlinked document names that direct them to actual files.fm pages.
.webp)
This approach significantly enhances the attack’s credibility, as users interact with a genuine file-sharing service in the early stages of the infection chain.
Cofense Phishing Defense Center (PDC) researchers identified this campaign and noted its particularly insidious “pick your poison” approach.
After downloading and opening the shared PDF file, users are presented with two seemingly innocent options: “Preview” or “Download” – each leading to different but equally damaging outcomes.
This bifurcated attack vector maximizes success rates by providing multiple paths to compromise.
The credential harvesting component activates when users select “Preview.” This action redirects victims to a convincing but fraudulent Microsoft login page that closely mimics the authentic interface.
%20(Source%20-%20Cofense).webp)
While featuring familiar Microsoft branding elements, the page contains subtle inconsistencies such as non-Microsoft domain URLs.
However, these warning signs are often overlooked in the moment, resulting in credential theft when users attempt to authenticate.
Alternatively, selecting “Download” triggers the installation of malware disguised as “SecuredOneDrive.ClientSetup.exe.”
This executable masquerades as legitimate Microsoft software while actually deploying ConnectWise RAT (Remote Access Trojan), a malicious tool that exploits legitimate remote administration software for unauthorized system access.
Infection Mechanism Analysis
The infection chain, as documented in Figure 6 of the Cofense report, demonstrates remarkable technical sophistication.
Once the initial PDF is opened, both attack paths lead to complete system compromise through different methodologies.
.webp)
The PDF itself serves as a convincing lure document, displaying what appears to be a standard file preview interface with seemingly helpful action buttons.
When executed, the malware establishes persistence through multiple techniques. It creates system services with automatic startup parameters, as shown in Figures 9.1 and 9.2, ensuring it remains active across system reboots.
Additionally, it modifies the Windows registry under HKEY_LOCAL_MACHINE, setting a Start value of “0x00000002” to guarantee automatic initiation during system startup.
These persistence mechanisms make complete removal particularly challenging for security teams.
The malware connects to a command and control (C2) server at “instance-i4zsy0relay.screenconnect.com:443,” enabling remote attackers to execute commands, exfiltrate data, and potentially move laterally through compromised networks.
Analysis of the malware reveals it’s built on ConnectWise Control (formerly ScreenConnect), a legitimate remote administration tool that has been repurposed for malicious activities.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial
The post New Double-Edged Email Attack Stealing Office365 Credentials and Deliver Malware appeared first on Cyber Security News.
