OneDrive Insurance Phishing Scam

This Friday (4/26/19) we investigated a phishing campaign for one of our insurance clients and we learned quickly that it spanned at least two other CNY area insurance companies.  For that reason Jim and I thought it was appropriate to blast out an ad-hoc "alert" to all of our insurance contacts.


Here's what we know so far:

  • It appears that the email accounts of some of our local insurance colleagues have been compromised

  • The bad actors are then spamming everyone in the user's address book (mostly insurance colleagues)

  • The email is a file share request from Microsoft's OneDrive

  • The incredible thing is in at least one case the file being shared is named "3rd Party Service Provider"

  • The text of the email is short and sweet, something like "please open the document"

  • The sender has "BCC'd" you, in other words, the "From" and "To" are both the same

In this case, "Think, Don't Click"

Here is a sample:

Phishing Scam

What if I clicked?

  • If you clicked on the OneDrive link, you're probably OK.  Clicking on the OneDrive link takes you to a PDF in OneDrive that is the phish.

  • However, if you clicked on the link from the link you might be in trouble!

If you clicked on the link in OneDrive:

  1. Change your email password immediately

  2. If it's been more than, say, 30 minutes you might've been compromised and will need to have your account checked for signs of intrusion. 

  3. Either call us immediately, call your IT support staff, or check the following:

    1. Check your Sent Items for emails you didn't send

    2. Check your Deleted Items for emails you didn't send

    3. In Outlook, click "Recover" at the top of your Deleted Items and check to see if there are emails you didn't send

      1. If there are no emails in your "Recover Deleted Items Folder" you've probably got a problem

    4. In Outlook, click "File" then "Manage Rules & Alerts" check for rules you didn't create

    5. In Outlook, click "File", then click the link next to Account Settings that says "Access this account on the web"

      1. Once there, make sure the "The new Outlook" slider in the upper-right corner is on

      2. Then click the settings "gear"

      3. Click "View all Outlook Settings" at the bottom

      4. Click "Forwarding"

      5. Ensure your email isn't being forwarded

Stay safe and have a good weekend.  If you have questions please contact us, we're here to help!