Microsoft Outlook targeted by new malware attacks allowing sneaky hijacking

News
By published

Even draft emails can be used in attacks

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)
  • Security researchers spot new piece of malware called FinalDraft
  • It gets commands from a drafted email
  • It can exfiltrate data, run PowerShell, and more

Cybersecurity researchers from Elastic Security Labs have discovered a new piece of malware which abuses draft email messages in Outlook for data exfiltration, PowerShell execution, and more.

The malware is part of a wider toolkit used in a campaign called REF7707 targeting government organizations in South America, and Southeast Asia.

As per the researchers, the toolkit comprises a couple of tools: a loader called PathLoader, the malware called FinalDraft, and multiple post-exploitation utilities.

Speeding up

The attack starts with the victim somehow being exposed to the loader. While the researchers don’t detail how that happens, it’s safe to assume the usual channels: phishing, social engineering, fake cracks to commercial software, and similar.

The loader installs FinalDraft, which establishes a communications channel through Microsoft Graph API. It does so by using Outlook email drafts. It proceeds to receive an OAuth token from Microsoft, using a refresh token embedded in its configuration. It stores it in the Windows Registry, allowing cybercriminals persistent access to the compromised endpoint.

The malware allows the attackers to perform a whole swathe of commands, including exfiltrating sensitive data, creating covert network tunnels, tampering with local files, executing PowerShell, and more. After performing these commands, the malware deletes them, making analysis even harder.

The researchers found the malware on a computer belonging to a foreign ministry in South America. However, after analyzing its infrastructure, Elastic has seen links to victims in Southeast Asia, as well. The campaign targets both Windows and LInux devices.

The attack was not linked to any known threat actors, so we don’t know if this was a state-sponsored play or not. However, given that the goal seems to be espionage, it’s safe to assume nation-state attacks. In-depth analysis, including detection mechanisms, mitigations, and YARA rules, can be found on this link.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Outlook
Dangerous Microsoft Outlook flaw could let hackers send out malware via email
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
More about security
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Compal Infinite Laptop

This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
See more latest
Most Popular
Compal Infinite Laptop
This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
Silicon Motion MonTian 128TB SSD
More 128TB SSDs on the way, but they won't be cheaper: Key maker of NAND flash controllers says 128TB SSDs are shipping
Toshiba HDD Innovation Lab
How to make hard drives faster? Simple, just bunch dozens of them together, Toshiba says
Asus Ascent GX10
Asus debuts its own mini AI supercomputer: Ascent GX10 costs $2999 and comes with Nvidia's GB10 Grace Blackwell Superchip
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Micron SOCAMM memory module
World's biggest RAM vendors develop superior memory form factor exclusively for Nvidia, sorry Intel and AMD