The attacks target organizations across multiple sectors in Canada, the United States, Hong Kong, Europe, and more, and have seen low detection rates in Google’s VirusTotal scanning engine.
Dubbed MirrorBlast, the campaign started in early September, following similar activity in April 2021, Morphisec’s security researchers reveal.
The infection chain starts with a malicious document delivered using phishing emails and later on moves to using the Google feedproxy URL, employing SharePoint and OneDrive lures masquerading as file share requests.
