An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate Microsoft services, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi.
Overview of the Attack : “Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to distribute spear-phishing attacks and store malware,” Israeli cybersecurity company Hunters said in a recent report. “This cloud-centric strategy allowed the threat actor to avoid detection by conventional monitoring systems.”
Discovery and Impact : Hunters discovered the campaign in September 2024 after responding to a cyber incident targeting a critical infrastructure organization in the United States, designated as “Org C.” The attack began a month earlier, culminating in the deployment of a Java-based malware that uses OneDrive for command-and-control (C2).
Attack Methodology : The threat actor impersonated an IT team member and sent Teams messages to four employees of Org C, requesting remote access via the Quick Assist tool. Uniquely, the attacker used an account from a potential prior victim (Org A) instead of creating a new one.
“The Microsoft Teams messages received by the targeted users of Org C were enabled by Teams’ ‘External Access’ functionality,” Hunters said.
The attacker then shared a SharePoint download link to a ZIP archive file hosted on a different tenant (Org B). The ZIP archive included a remote access tool named Lite Manager and another ZIP file containing a Java-based malware.
Malware Capabilities : The malware connects to an adversary-controlled OneDrive account using hard-coded Entra ID (formerly Azure Active Directory) credentials, utilizing it as a C2 for executing PowerShell commands via the Microsoft Graph API. Additionally, it has a fallback mechanism that initializes an HTTPS socket to a remote Azure virtual machine for command execution.
Past Incidents and Current Challenges : This is not the first misuse of the Quick Assist program. Earlier in May, Microsoft warned of Storm-1811, a cybercriminal group that used Quick Assist features to deploy Black Basta ransomware by posing as IT professionals.
Recent campaigns have also abused legitimate file hosting services like SharePoint, OneDrive, and Dropbox to evade detection. “This SaaS-dependent strategy complicates real-time detection and bypasses conventional defenses,” Hunters said. “With zero obfuscation and well-structured code, this malware defies typical evasion-focused designs.”