Not Cunning
but to be fair, they have found an attack vector that was slipping through the cracks. The steps the tool takes accomplish the same ends as custom code, but don't trigger the same response.
This is just another variant of the standard tactic and technique of stringing together an attack chain from code, tools, and gadgets that are already on the host machines.
The real obstacle here is that you have a grey zone where tools like One Drive and Dropbox are used daily for general use, so it gets hard to restrict them w/o over blocking and annoying people. So they set the heuristics loose to avoid complaints and something nasty slipped by initially.
That said, I really hate the fact that we are on gmail, and they make it a pain to sideline this stuff. The old on prem mail server wasn't built by a multi-billion scale team, but has useful features like the ability sideline an queue suspicious attachments till they were release by one of the mail admins. Because some users will reliably click on ANYTHING. How those features aren't considered part of the minimum viable product I will never know.
So instead we try to block the users work machine from running the thing, and they just forward it to someone else to open for them, or open it on their personal device. If you can't trust them not to open it, why are you trusting them to have it at all?
Biting the hand that feeds IT
