Researchers detected compromised emails distributing the Emotet malware via Microsoft OneDrive URLs. Pictured: A logo sits illuminated outside the Microsoft booth at the SK telecom booth of the GSMA Mobile World Congress on Feb. 28, 2022, in Barcelona, Spain. (Photo by David Ramos/Getty Images)

Researchers on Tuesday detected a low volume of compromised emails distributing the Emotet trojan that were sent via Microsoft OneDrive URLs.

In a blog post, Proofpoint researchers said the attack’s low volume and the use of OneDrive URLs and XLL files were a departure from Emotet’s typical behaviors and indicates that the group has been testing new attack techniques on a small scale before adopting them for larger campaigns. The researchers say these new tactics, techniques and procedures may indicate that Emotet may now be engaged in more selective and limited attacks in concert with the typical massive scale email campaigns.

The Proofpoint researchers describe Emotet as a prolific botnet and trojan that targets Windows platforms to distribute follow-on malware. It was considered one of the most prolific cybercriminal threats before its disruption by global law enforcement in January 2021. In November 2021, 10 months after its disappearance from the threat landscape, Proofpoint observed a reemergence of the notorious botnet.

Proofpoint's research is consistent with attacks that's been observed in several cases where default Microsoft 365 settings are abused to facilitate the delivery of ransomware, said Aaron Turner, vice president of SaaS Posture at Vectra. Turner said it’s important to note that both SharePoint Online and OneDrive share security configuration options.

"When we have run our security assessment on our customers' tenants, we look to assure that malicious file blocking is set consistently across SharePoint Online, OneDrive and Exchange Online,” Turner said. "If they are not consistently configured, there are cases where malicious files can be loaded to one service that then bypasses controls in the others. Infected file restrictions along with specific file-type blocking within OneDrive and SharePoint are critical settings that must be monitored and maintained. In some instances we have observed attackers disabling these settings prior to their efforts to distribute ransomware through Microsoft cloud services.”

Mike Parkin, senior technical engineer at Vulcan Cyber, said threat actors are always evolving their tools and tactics, and this is good evidence of them doing exactly that. Parkin said switching delivery methods and payload specifics is a response to improvements on the defender’s part, while the low volume indicates a field test before committing to a largerscale offensive deployment.

“While it is possible we are seeing a change in strategy, rather than a test phase, a future change in attack volume will answer that question,” said Parkin.