Unmasking VEILDrive: How Threat Actors Are Exploiting Microsoft SaaS to Spread Malware**
A sophisticated cyber threat campaign known as "VEILDrive" has been identified using popular Microsoft SaaS services—Teams, SharePoint, Quick Assist, and OneDrive—to carry out its malicious operations.
This approach capitalizes on the inherent trust in Microsoft’s infrastructure, making it challenging for traditional security measures to detect the activity.
According to a recent report by Israeli cybersecurity firm Hunters, the attackers have exploited these platforms to launch spear-phishing attacks, host malware, and leverage the infrastructure of previously compromised organizations.
Hunters initially detected the campaign in September 2024 after responding to a breach targeting a U.S.-based critical infrastructure organization, which they anonymized as "Org C."
A Cloud-Centric Approach to Bypass Detection
VEILDrive appears to have been in motion since August 2024, culminating in the deployment of a Java-based malware that uses OneDrive for command-and-control (C2) purposes.
Hunters noted that this cloud-first approach allowed the threat actors to avoid conventional monitoring systems, illustrating how attackers are increasingly shifting tactics to exploit cloud services as a covert entry point.
To gain initial access, the VEILDrive operators impersonated a legitimate IT team member within Microsoft Teams, sending messages to four employees of Org C. They requested remote access through the Quick Assist tool, using an account associated with a previously compromised organization (Org A) rather than creating a new one.
The attackers exploited Teams’ "External Access" feature, which permits inter-organization communication by default, to deliver their messages under the guise of an internal IT request.
Exploiting Microsoft SaaS for Malware Distribution
After gaining the initial foothold, the attacker shared a SharePoint link in the Teams chat, directing victims to download a ZIP file ("Client_v8.16L.zip") hosted in another organization’s SharePoint (Org B). Inside the ZIP file, they concealed the LiteManager remote monitoring and management (RMM) tool, which was scheduled to run periodically via tasks created on the compromised system.
The VEILDrive campaign also involved deploying a second ZIP file ("Cliento.zip") containing a Java-based malware bundled with the Java Development Kit (JDK) required to execute it. The malware connects to a OneDrive account controlled by the attackers via hard-coded Entra ID (formerly Azure Active Directory) credentials, using it as a C2 to execute PowerShell commands by tapping into the Microsoft Graph API.
As a fallback, the malware initiates an HTTPS connection to a remote Azure virtual machine, receiving and executing commands within PowerShell. This multifaceted approach allows the attacker to maintain a stronghold on infected systems even if one C2 method is disrupted.
SaaS-Based Evasion Techniques
This isn’t the first time Quick Assist has been used in this manner. In May, Microsoft warned about financially motivated cybercriminal group Storm-1811, who used Quick Assist to deploy Black Basta ransomware by impersonating IT staff.
As Microsoft noted recently, legitimate file-sharing platforms like SharePoint and OneDrive are increasingly being leveraged by attackers to evade detection. VEILDrive’s straightforward code and lack of obfuscation underscore how attackers can weaponize legitimate SaaS services to achieve persistence and obfuscation without complicated code—a troubling trend in today’s cyber landscape.
VEILDrive is a stark reminder that attackers are actively seeking to use legitimate SaaS platforms in novel ways, underscoring the importance of organizations staying vigilant against the potential misuse of trusted cloud services.