A recent cybersecurity investigation has revealed a sophisticated phishing campaign leveraging Discord’s Content Delivery Network (CDN) to distribute Remote Access Trojan (RAT) malware disguised as legitimate Microsoft OneDrive files. This campaign primarily targets Microsoft 365 users and underscores the evolving tactics employed by cybercriminals to bypass conventional security measures.
Anatomy of the Attack
The scheme typically starts with a convincing phishing email masquerading as a genuine Microsoft OneDrive share notification. These emails are designed to closely mimic official correspondence from Microsoft, often using familiar branding and file icons to establish credibility and lure recipients into trusting the message.
Embedded within the email is a link purported to provide access to a shared OneDrive document. However, instead of leading to a legitimate file, the link directs users to a file hosted on Discord’s CDN. The file is frequently presented with misleading filenames, such as those appearing to have a .docx extension, but is, in reality, an installer file—commonly with an .msi extension—that launches once executed.
If the recipient proceeds to download and execute this file, they unwittingly install RAT or remote monitoring and management (RMM) software. These tools, though often used for legitimate IT support, are repurposed in this context to provide cybercriminals with broad access to the victim’s system. The attackers can then steal sensitive information, monitor user activity, or deploy additional forms of malware.
Exploiting Discord’s CDN
Discord’s CDN is a file hosting system intended for sharing content within Discord’s chat platform. However, files uploaded to Discord can be accessed by anyone possessing the direct CDN link, irrespective of whether they have a Discord account or not. Until recently, these links provided indefinite access, making Discord’s CDN a popular and convenient platform for hosting and distributing malware.
Cybercriminals take advantage of the trust many users place in communication platforms like Discord. Since Discord-hosted files often evade common email security filters, malicious CDN links are more likely to reach end users without being flagged as suspicious.
This campaign exemplifies how Discord has become an attractive intermediary for attackers. Not only can they distribute direct malware payloads, but they can also use these links to deploy intermediary downloaders that fetch additional malicious software.
Ongoing Mitigation Efforts
Recognizing the magnitude of this abuse, Discord has announced changes to its CDN infrastructure, including the planned introduction of temporary file links and enhanced CDN authentication mechanisms. These measures, expected to take effect by late 2025, aim to limit the accessibility of files to authorized users and reduce the window of opportunity for malicious actors to exploit this vector.
