Security firm Hunters has uncovered a sophisticated phishing campaign, dubbed “VEILDrive,” which leverages multiple Microsoft services as command-and-control (C2) infrastructure. The campaign, suspected to be of Russian origin, has been active since early August 2024 and remains ongoing.

The VEILDrive campaign was first detected in September 2024 following an attack response at a US critical infrastructure entity. Researchers traced the attack to early August, revealing a complex infrastructure exploitation tactic involving Microsoft services like Teams, SharePoint, Quick Assist, OneDrive, and Azure AD. Through these platforms, the threat actors orchestrated spear-phishing attacks, hosted malicious files, and conducted C2 communications.

What sets VEILDrive apart from typical threat campaigns is its extensive use of Microsoft Software as a Service (SaaS) applications for C2 purposes.

Microsoft Teams was employed to deliver spear-phishing messages that enticed victims to download and run a remote management tool. Quick Assist codes were then sent via Teams messages to secure initial remote access.

SharePoint was used as a distribution hub where malicious files were hosted on a compromised tenant ("Org B") and shared with other organizations (“Org C”) through SharePoint links. Once downloaded, the attacker could gain remote access to the target through Quick Assist.

A unique C2 method leveraged OneDrive for remote command execution. The threat actors used OneDrive to gain capabilities like taking screenshots, uploading/downloading files, and executing commands on compromised devices.

The attackers used an Azure VM for HTTPS socket C2 communications. Additionally, they leveraged an Azure AD application to authenticate their own user accounts, gaining access to the OneDrive home folders of compromised accounts.

Those interested in the more detailed technical analysis of the threat campaign can read Hunters’ report here.