OneDrive File Download Phishing (email containing password to document)

The University has been receiving malicious replies to previously existing email chains from known addresses.

When an email account is compromised by malicious actors, the malicious actor replies to previously existing email conversations with links to malicious OneDrive files.  The link leads to an encrypted file download.  The file's encryption password is given in the body of the email.

Once the email is downloaded, unencrypted and run, the file installs remote access software and starts to scan the network for more targets.

Because this phishing attack comes in the form of a reply to a previously existing email conversation it can be personal and specific to the department or individual making it difficult to detect.  Phishing attacks are often only received by a single user and can often go unnoticed by the security team.

We suggest that users take extra care when receiving OneDrive links in their email and avoid any emails which contain file downloads to password encrypted files.

Example Email:

This style of phishing attack can be successful because it's often mistaken for a reply from a legitimate email thread.

To date, we beleive that our Sophos AntiVirus software has been successful in blocking the attack.  This may not be the case in the future.

Should an attack succeed, it's likely that a threat actor will gain remote access to an affected system and attempt to compromise further systems within the network.

Please contact the IT Support Centre if you have any questions or require assistance:
Email IT.Support@uregina.ca
Phone 306-585-4685
Webform https://www.uregina.ca/is/forms/ticket.html
In Person at ED 137 or Archer Library Commons

Report malicious OneDrive files to Microsoft:

https://www.microsoft.com/en-ca/concern/onedrive