VEILDrive is a malware campaign and command-and-control technique that abuses legitimate Microsoft cloud and remote assistance services to evade detection. Reported Microsoft services used in the campaign include Teams, SharePoint, Quick Assist, and OneDrive. The activity has been described as using trusted Microsoft services as part of its modus operandi, allowing malicious communications to blend with normal enterprise traffic. The campaign has been observed targeting an unnamed U.S. critical infrastructure entity. Public reporting referenced in the content states that attribution is currently unknown. High-confidence details in the provided content are limited to the campaign’s abuse of Microsoft services for stealth and C2-related purposes; no specific malware payload capabilities, infection vector, or indicators of compromise beyond the named Microsoft services are provided.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
MicrosoftのサービスをC2に利用するマルウェア事例として言及されている。本文では詳細機能は説明されず、SaaS C2の類似事例としてのみ紹介されている。
Malware campaign leveraging legitimate Microsoft services to evade detection and target critical infrastructure.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.