VEILDrive - New Threat Campaign - Microsoft Apps/Services abuse for C&C

Incident Report for Rapid Response Status Page

Resolved

Dear customers,

Following our latest update, we continued with the threat-focused hunting efforts, looking for potential hits using the TTPs and IOCs we had from the research conducted for VEILDrive threat campaign.

AXON reports have been published for AXON customers, including more details regarding the campaign and recommended action items.
Relevant hits that require your attention will be mentioned in the AXON report.

It's also important to mention that a detailed blog post, that includes in-depth technical details about the campaign will be published on Hunters' website in the coming days.

Please feel free to reach out in case of any follow-up questions.

Sincerely,
Team Axon.
Posted Nov 03, 2024 - 20:44 UTC

Investigating

Dear customers,

Team AXON discovered an on-going campaign, dubbed “VEILDrive”, in which a threat actor uses a combination of common and sophisticated techniques including phishing via Microsoft Teams, lure victims to provide him with initial access using remote management tools, following by additional TTPs, including a deployment of a unique malware that abuses Microsoft services for command and control purposes.
A threat-focused threat-hunting related to this campaign is now on-going. In case of any significant finding that requires your attention, we’ll of course reach out.

An AXON report will be available for all of our AXON customers as soon as the Rapid Response efforts are concluded.
Please don’t hesitate to contact us in case of any questions.

Sincerely,
Team AXON.
Posted Oct 31, 2024 - 19:50 UTC
This incident affected: Rapid Response.