Hackread reports that Microsoft 365 users have been subjected to a novel phishing campaign that exploits Discord CDN links to facilitate the distribution of the Atera and Splashtop remote monitoring management tools under the guise of a fake OneDrive attachment.
Threat actors using a breached account have sent a malicious email purporting to be a OneDrive file-sharing notification that includes a file download link, which redirects to a nefarious installer file hosted on Discord CDN subsequently resulting in the installation of the Atera, Splashtop Streamer, and .Net Runtime 8 apps that could facilitate data exfiltration, machine encryption, and further compromise, an analysis from Sublime Security revealed. Aside from not being flagged due to being downloaded from legitimate sources, both Atera and Splashtop RMM installations enable continued attacker control on impacted devices, even in the event that a single RMM is eventually discovered, said researchers.
Threat actors using a breached account have sent a malicious email purporting to be a OneDrive file-sharing notification that includes a file download link, which redirects to a nefarious installer file hosted on Discord CDN subsequently resulting in the installation of the Atera, Splashtop Streamer, and .Net Runtime 8 apps that could facilitate data exfiltration, machine encryption, and further compromise, an analysis from Sublime Security revealed. Aside from not being flagged due to being downloaded from legitimate sources, both Atera and Splashtop RMM installations enable continued attacker control on impacted devices, even in the event that a single RMM is eventually discovered, said researchers.
