Several users received an email notification allegedly from Craigslist warning them that an ad they had posted included “inappropriate content,” thus violating Craigslist’s terms and conditions. The recipients were given instructions to prevent their accounts from being deleted.
Clicking on a button in the email was supposed to take people to a form document that had been uploaded to an actual Microsoft OneDrive site. Users were told to click on a download link to obtain the form, fill it out, and then send it to an email address of [email protected]
In actuality, clicking on the link downloaded a zip file that, when uncompresssed, triggered a macro-enabled Excel spreadsheet. The spreadsheet spoofed DocuSign and used Norton and Microsoft logos to suggest that the file was safe. Anyone who clicked on the commands for Enable Editing and Enable Content bypassed Microsoft Office security and allowed the macros to be executed.
The malware also tried to connect to other websites to download more components or exfiltrate data.
In this instance, your Spidey sense should start tingling if you receive a violation notice that doesn’t correspond to any activity you’ve performed on the site in question.
In the campaign described by Inky, it makes no sense that a Craigslist problem would be resolved through a document uploaded to OneDrive.
In this case, you should be suspicious about the indirect way you’re asked to access and fill out a form. With a legitimate email, the form would be attached to the message rather than require you connect to OneDrive.