Have you ever wondered how a real-life phishing attack works? Through our honeypots, Nimblr’s Cyber Intelligence Team recently discovered a disturbing trend: cybercriminals are exploiting Microsoft OneDrive to carry out sophisticated phishing attacks.
This isn’t just random spam. It’s a calculated, insidious method of bypassing firewalls and spam filters — using the very platforms people trust.
One of our honeypots—a decoy system designed to attract cyberattacks—revealed this ongoing attack. Honeypots allow us to study criminal tactics in real time, giving valuable insight into phishing methods and how attackers evade detection.
One of our honeypots discovered a phishing campaign using the Microsoft OneDrive account of a CEO involved in a major Swedish skiing competition. After alerting the organization, we continued to monitor the attackers’ methods to better understand the scope and strategy behind this exploit.
Step 1: Using a Trusted Platform: The attacker gains access to a legitimate Microsoft OneDrive account, often through leaked credentials or a previous phishing attempt. By leveraging a trusted domain like OneDrive, they can host malicious content that bypasses security filters.
Step 2: Hosting a Fake Document: Once inside the account, the attacker uploads a fake document—typically disguised as an invoice, report, or proposal. They then create a OneDrive shareable link that appears safe because it originates from Microsoft’s domain.
Step 3: Sending the Phishing Emails: The attacker sends phishing emails containing these OneDrive links to contacts harvested from the compromised mailbox. Since the email appears to come from a legitimate sender and includes a Microsoft link, it easily evades detection.
Step 4: Redirecting to a Fake Login Page: Victims who click the link are redirected to a realistic-looking Microsoft login page. This page, however, is fake. Once credentials are entered, they are captured by the attacker— granting access to even more accounts.
1. Trusted isn't always safe:
Even well-known, typically trustworthy websites can host malicious content. Attackers rely on this trust to increase their success rate.
2. Enable multi-factor-authentication:
MFA is one of the most effective defenses against account takeovers. Even if a password is compromised, a second verification step—such as a code sent to your phone—can stop the attack.
3. Put your security awareness training to use:
If you receive a OneDrive link in an email that feels unusual—especially from someone you don't typically communicate with—proceed with caution. Learn how to spot red flags in our post on anti-phishing policies.
The weaponization of Microsoft OneDrive is just one example of how attackers innovate to bypass traditional defenses. By understanding their methods and implementing proactive security measures, you can reduce your organization’s risk and stay ahead of evolving threats.
Want to learn more about how Nimblr helps organizations identify and stop phishing threats before they strike? Read our guide on security awareness training.