1drv

[Albertina Drybread]

Itis important to note that this behavior is happening the same way in all computers (win 10 pro - v20H2), therefore we believe that if was something related to the DSN it would return the server IP address, but every computer shows its own localhost info!

I was trying to insert a link to my OneDrive document in a Google sheet. For this, I selected the text within a cell and then right-clicked to insert a hyperlink from the shortcut menu. That didn't work. Tried doing it the same way for different files, but the link always ended up dead.

I am also facing a similar issue on my pc.

I tried from different browsers, even different OS (Windows and Linux),

but that shortened 1drv.ms links do not open ever.

But I can click on those links from my android phone and they get opened in the Onedrive mobile app (which is good).

I am attaching a screenshot of the error

Maybe you could also try to flush DNS and check the host file.

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

You could work around this by adding a static entry to '1drv.ms' in your local 'hosts' file at 'C:\Windows\System32\drivers\etc\hosts'. Please be aware that, if and when Microsoft decides to point this DNS to another IP, this will break. The long-term solution is to work with your ISP to add this DNS entry to their DNS servers.

Thank you, this helped. Although it's a temporary solution. I'll stick with it for time being. And you said something about long-term solution, "ISP to add this DNS entry to their DNS servers". I am using mobile internet, as wi-fi, BSNL network. Can I do anything or tweak in my phones that could help? Are you talking about this? Or more like BSNL network issue? Thank you again.

Initially, I was interested in this because it looks like some of the other real estate related phishing/Business Email Compromise attacks I have seen in the past. The goal is to usually get a victims email credentials to later inject emails with fraudulent wire instructions. Many million dollars have been lost in these attacks in the past. I found it interesting that the attacker specifically requested to verify wire instructions via the phone.

The link itself led to hxxps:// 1drv.ms /b/s!Ajbc-YlY0yFbdwRk1MlFeXtt4YU . "1drv.ms" is actually a legitimate Microsoft owned domain and used as a short link for OneDrive documents. Sure enough, I ended up at a legitimate OneDrive URL. But the document displayed asked me to click again:

So the next step would be to give the attacker my "honey password". Sadly, I didn't get to this part because the attacker didn't anticipate victims using IPv6. The blocklist the attacker uses to exclude researchers is only considering IPv4, and errors out on IPv6.

This is actually a pretty major oversight. Considering that this attack probably targets home users and also would get good results from mobile users. According to Google [1], about 30 % of these requests will come via IPv6 for users in the US.

Even the firewall appliance is not used as DNS resolver from the client and "Enforce DNS Proxy For All DNS Requests" is not enabled, 1drv.ms is blocked by DNS sinkhole, which is a good thing in general, but odd in this case.

In this December 2020 campaign, TA453 used an actor-controlled Gmail account that masqueraded as a prominent Israeli physicist. The account (zajfman.daniel[@]gmail.com) sent messages with the subject "Nuclear weapons at a glance: Israel" and contained social engineering lures relating to Israeli nuclear capabilities. These malicious emails contained a link to the TA453-controlled domain 1drv[.]casa. When clicked, the URL leads to a landing site spoofing Microsoft's OneDrive service along with an image of a PDF document logo titled CBP-9075.pdf.

At this time, it does not appear 1drv[.]casa conducts any sort of multi-factor authentication bypass. Although Proofpoint does not currently have further visibility into how TA453 used any credentials obtained from this specific campaign, public reporting from CERTFA indicates TA453 has previously used harvested credentials to exfiltrate email inbox contents.[4] In select prior campaigns, Iranian-aligned actors, including TA453, have used compromised accounts for further phishing.[5]

At this time, Proofpoint cannot conclusively determine the motivation of actors conducting these campaigns. As collaboration for medical research is often conducted informally over email, this campaign may demonstrate that a subset of TA453 operators have an intelligence requirement to collect specific medical information related to genetic, oncology, or neurology research. Alternatively, this campaign may demonstrate an interest in the patient information of the targeted medical personnel or an aim to use the recipients' accounts in further phishing campaigns. While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be an outlier, reflective of a specific priority intelligence tasking given to TA453.

While Proofpoint cannot independently attribute TA453 to the IRGC, the tactics and techniques observed in BadBlood continue to mirror those used in historic TA453 campaigns and the overall targeting of TA453 campaigns detected by Proofpoint appear to support IRGC intelligence collection priorities.[7]

In 2019, the US Department of Justice indicted four Iranian individuals for using social media and credential phishing emails to conduct malicious computer intrusions on behalf of the IRGC.[8] Private industry reporting identified this activity as part of CHARMING KITTEN in both 2017 and 2019.[9,10] In early 2019, Microsoft reported TA453 was abusing well known email brands to conduct spear phishing operations against government agencies, political targets, and journalists on behalf of the Iranian government.[11]

While investigating this campaign, Proofpoint Threat Research identified other domains attributed to TA453 with high confidence based on network infrastructure components, campaign timing, and similarity in lure documents. Both Proofpoint and VirusTotal telemetry indicated additional actor-controlled domains were used in TA453 campaigns attempted to compromise more traditional TA453 targets with a similar attack-chain in late December 2020. Finally, the provided lure documents at the end of the attack chain share similar, national security themes, including Congressional Research Reports, think tank publications, and other policy minded documents. While researchers were not able to directly correlate all of these domains with phishing campaigns, we judge this activity to be consistent with the BadBlood campaign.

While TA453 has consistently demonstrated a desire to collect and exfiltrate the email mailbox contents belonging to typical intelligence targets of the Iranian government like the Iranian diaspora, policy analysts, and educators, this TA453 campaign demonstrated a desire to target medical researchers and providers. Further detection and analysis of TA453 campaigns will likely determine whether this targeting is an outlier or if targeting has evolved to support the medical sector becoming a consistent intelligence requirement and target for TA453.

While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors. [12]

Has anyone noticed issues with resolving the 1drv.ms domain using the Spark [Xtra] DNS servers 122.56.237.1 and 210.55.111.1? External DNS servers resolve the name without an issue. As a test I've tried three different Spark-connected Xtra-DNS using connections and all had the same issue.

So it's likely very isolated if you can't get resolution for any sites using our DNS servers then it's certainly not a widespread issue... Have you verified with nslookup to 210.55.111.1 or 122.56.237.1 ?

Basically if you have a router that's pre 6.40.6 or 6.42.1 and it has port 80 or port 8291 winbox access open either locally or via the internet and that this isn't heavily locked to down source IP ranges it will be hacked. Guaranteed.

Basically,1drv.ms is the domain owned by Microsoft that allows users to store, manage, and share files online. It is important to note that 1drv.ms is not a website in and of itself, but rather a URL that is used to access OneDrive

The primary purpose of 1drv.ms is to provide users with a secure and reliable way to store files online. This eliminates the need to store files locally or on a physical storage device, like a hard drive or flash drive.

OneDrive is encrypted with AES 256-bit encryption which makes your data 100% safe from stealth or hacking practices. Also, Microsoft has integrated a built-in ransomware protection technology to scan for any malicious or infected files in OneDrive.

On initial signup, OneDrive gives you a free space of up to 5GB to store your picture, music, videos, and other important files. Microsoft allows you to increase your storage capacity through different paid plans.

If both the above methods are not working for you, then it could be due to the fact that you have limited permission to open the file in OneDrive. You should contact the user who originally uploaded the file and ask them to grant you permission.

3a8082e126