An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi.
“Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to distribute spear-phishing attacks and store malware,” Israeli cybersecurity company Hunters said in a new report.
“This cloud-centric strategy allowed the threat actor to avoid detection by conventional monitoring systems.”
Hunters said it discovered the campaign in September 204 after it responded to a cyber incident targeting a critical infrastructure organization in the United States. It did not disclose the name of the company, instead giving it the designation “Org C.”
The activity is believed to have commenced a month prior, with the attack culminating in the deployment of a Java-based malware that employs OneDrive for command-and-control (C2).
The threat actor behind the operation is said to have sent Teams messages to four employees of Org C by impersonating an IT team member and requesting remote access to their systems via the Quick Assist tool.
What made this initial compromise method stand out is that the attacker utilized a user account belonging to a potential prior victim (Org A), rather than creating a new account for this purpose.
“The Microsoft Teams messages received by the targeted users of Org C were made possible by Microsoft Teams’ ‘External Access’ functionality, which allows One-on-One communication with any external organization by default,” Hunters said.
In the next step, the threat actor shared via the chat a SharePoint download link to a ZIP archive file (“Client_v8.16L.zip”) that was hosted on a different tenant (Org B). The ZIP archive came embedded with, among other files, another remote access tool named LiteManager.
The remote access gained via Quick Assist was then used to create scheduled tasks on the system to periodically execute the LiteManager remote monitoring and management (RMM) software.
Also downloading is a second ZIP file (“Cliento.zip”) using the same method that included the Java-based malware in the form of a Java archive (JAR) and the entire Java Development Kit (JDK) to execute it.
The malware is engineered to connect to an adversary-controlled OneDrive account using hard-coded Entra ID (formerly Azure Active Directory) credentials, using it as a C2 for fetching and executing PowerShell commands on the infected system by using the Microsoft Graph API.
It also packs in a fallback mechanism that initializes an HTTPS socket to a remote Azure virtual machine, which is then utilized to receive commands and execute them under the context of PowerShell.
This is not the first time the Quick Assist program has been used in this manner. Earlier this May, Microsoft warned that a financially motivated cybercriminal group known as Storm-1811 misused Quick Assist features by pretending to be IT professionals or technical support personnel to gain access and drop Black Basta ransomware.
The development also comes weeks after the Windows maker said it has observed campaigns abusing legitimate file hosting services like SharePoint, OneDrive, and Dropbox as means of evading detection.
“This SaaS-dependent strategy complicates real-time detection and bypasses conventional defenses,” Hunters said. “With zero obfuscation and well-structured code, this malware defies the typical trend of evasion-focused design, making it unusually readable and straightforward.”
