Home > Cyber News > Dridex Spread via Compromised OneDrive for Business Accounts

Dridex Spread via Compromised OneDrive for Business Accounts


Forcepoint researchers have disclosed a new current of attacks that involve Microsoft’s OneDrive for Business. Cybercriminals are hosting malware on the service to attack links in emails that are then sent to users.

The researchers say that:

(…) cybercriminals have started to utilize compromised OneDrive for Business accounts for hosting malware since at least August of this year. One Drive for Business is a paid Microsoft service for businesses where employees can store and share files. Each registered employee has a personal URL called “MySite” where work-related files can be uploaded and shared, even to external parties. The following shows the format of a MySite URL:

  • https://{business domain name}-my.sharepoint.com/personal/{employee user name}_{business domain name}/

Employee MySite Accounts Compromised and Deployed to Upload Malware

The generated download links are added in mass-mailing campaigns. Here is an example of an email:


It’s obvious that a Microsoft domain is leveraged because it looks trustworthy and users would trust the links and proceed with downloading the attached files.

Security researchers say that the malware being distributed in this campaign come from families like Dridex and Ursnif, or two major banking Trojans. The attachments are distributed in the form of executable files or archives with a JavaScript downloader inside. Currently, users in Australia and the UK are being targeted, but other countries may also be added.

Related: Same Cyber-Gang Behind Dridex, Locky and CryptoWall

However, researchers were unable to conclude how the attackers succeeded to compromise OneDrive for Business accounts. This new type of attacks followed by malware distribution only shows that not only home users at risk but also businesses.

Such attacks could be extremely harming to businesses as malicious hackers can obtain access to private data stored in business accounts. Access to various business assets and contacts is also highly possible, researchers warn.

The conclusion?

Attacks on online cloud storage services is a very effective way for cyber criminals to spread malware. As this attack tactic is already getting recognized as a repetitive model, cyber criminals are definitely looking for new social engineering deploys to guarantee success of their attempts.

The abuse of Microsoft OneDrive for Business service may aid them in this case. Since it is a known service for businesses, malicious download links hosted by such platform adds a layer of “trust” to prospective victims when downloading an unknown file.

Related: Virlock Ransoware Leverages the Cloud to Infect More Users

As always, users should not open any suspicious emails from unknown senders. And they should have a strong anti-malware solution installed on their systems. Also, businesses should not underestimate the value of cyber security education. The deployment of such education is crucial in modern businesses.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree