Discord CDN Link Abused to Deliver RAT Disguised as OneDrive File

In a new threat discovered by cybersecurity firm Sublime Security, which was observed on the Microsoft 365 email platform, hackers are using a clever malware campaign to trick users with fake OneDrive emails.

In the research, shared with Hackread.com, the firm found that this sophisticated attack installs two separate remote-control programs on a victim’s computer, making it very difficult to stop.

Sublime Security’s AI-powered system detected the attack by spotting several subtle clues. These included the email claiming to share a file but being sent to an undisclosed recipient list, the misleading file extension (saying .docx but being a .msi), and the use of the free file hosting site.

Researchers found that the attack begins with a malicious email sent from a previously compromised account. The message is designed to look like a file-sharing notification from Microsoft’s OneDrive, complete with a familiar privacy footer and a Word document icon.

The email’s link promises to download a document file, but it actually leads to a dangerous installer file hosted on a free service, the Discord CDN. When a user clicks the link, the attack installs software known as RMM, or Remote Monitoring and Management. These are legitimate tools used by IT professionals to fix computers from a distance, but cybercriminals can use them to take full control of a machine.

The RMM software works by installing a small program called an agent on the target computer, which creates the connection for remote access. Once installed, an RMM can be used to steal data, lock the machine for ransom, or deliver other attacks. This campaign is particularly tricky because it installs Atera in a visible process, while two installations run in the background, including Splashtop Streamer and .Net Runtime 8.

Both of these are downloaded from legitimate sources, making them appear as harmless web traffic. This dual approach is a key part of the scheme, ensuring that the attacker “maintains remote control even if one RMM is discovered,” the blog post reads.

This campaign highlights the growing threat of multi-stage attacks that use deception to gain lasting control over a victim’s machine. To stay safe, always be cautious with unexpected emails, even from trusted sources like OneDrive. Also, before opening any downloaded files, check their type and name carefully; if the file type seems off, like a .msi file instead of a .docx, do not run it.