OneDrive Phishing Scam Details

We recently alerted our insurance industry colleagues of an active phishing campaign that had compromised multiple accounts at multiple insurance industry companies in the Upstate New York area. You can read more about it here.

Hopefully, if you received any of these threats you didn’t fall victim, and therefore didn’t see what the entire threat looked like. Out of curisoisty I took the threat as far as possible so that we could all (safely) see how these attacks work. This article is intended to simply demonstrate what happened, and where possible I’ll add commentary on the red flags.

The Initial Email

Here is a sample email. In this case, a user’s email credentials had been compromised, most likely by a previous phishing attack of a similar nature. In our experience, actual people, usually in Africa, are perpetuating the scam. They’re goal is to go whalling, that is they’re looking for a “big fish” that has access to money. If you’re not a whale with money to be stolen, they’re going to use you to attack everyone you know hoping for a bigger fish.

Think of it like a drug ring in reverse. You’re the low level dealer on the street, and the cops want your dealer, and then his dealer, and eventually the king pin. The attackers are doing the same thing. Using your network of contacts and your email account, they’re trying to get your boss, or someone in the C-Suite of a company you interact with.

This email has a link to a file on OneDrive, Microsoft’s file sharing platform. It could be OneDrive, Google Drive, Dropbox, whatever.

Clicking the OneDrive Link

These emails are tough. Especially this one because it comes from a colleague and, if you’re in insurance, there is a new regulation related to Third Party Service Providers that just went into effect. Insurance companies are all going back and forth signing third party service agreements, so the name of this file is incredibly enticing!

So what happens if you click on the email? Below are two examples that I received. Notice BOTH links are actual OneDrive files. What you can’t see is these are PDF’s that have embedded links

Clicking the Embeded Links

What happens if you click the links in these PDFs? Since we have two scenarios to work with, we ended up with two paths to go down. The first path takes you to a page that looks like the Microsoft logon screen. However, we’ve got a red flag here. The domain is “”, NOT,, or happens to be a Google Cloud address.

3 Office Landing Page.png

For the other link, we as the victim had better luck, the page was broken:

3 - landing page 2.png

I took this a step further though because I had a feeling my Web Protection features of my firewall or anti-virus were saving me. Sure enough, if I changed it to http I got a block from Sophos (hereby showing some of the value of having Web Protection)

3 - Sophos block.png

Since I was really curious, and working under the assumption not everyone has the belt and suspenders protections I use, I disabled the Sophos Web Protection feature. This time the firewall blocked it. I am showing you both of these images because it demonstrates the value of multiple technologies, even if they’re from the same vendor.

XG block.png

After chaning the URL to http, disabling Web Protection on my antivirus, and disabling Web Protection on my firewall, I (finally?) landed on a Microsoft looking landing page similar to what I already showed above, this time on a totally random domain (a red flag).

Entering an email address

If you’ve landed on the login page, and you happen to enter your email address, the attackers prompt you for your password. I want to point out that this looks like the default Microsoft logon page. However, Microsoft lets you customize the look of the login page for your domain so that it has YOUR logo and YOUR background which provides your users another red flag.

If I happen to enter my password two things happen. First, you get a page that says you entered the wrong password. But more importantly, the hackers now have your password! Unfortunetaly for Mickey Mouse, his password is now compromised:

5 - password wrong.png

Now what?

First, if you have Two-Factor Authentication on, you’re safe. The hackers don’t have your phone and therefore don’t have your rolling code.

However, if two-factor isn’t on, you need to change your password. You also MUST investigate if you are regulated in most any way such as HIPAA, NYS DFS, PCI DSS, etc. The reason is you must assume that your data has been breached, unless you can prove otherwise.

As a final thought, here’s another reason to not have sensitive data in your email!