The Microsoft OneDrive phishing email every 0365 business user should know about

Businesses need to be more vigilant than ever about evolving phishing attempts.

A Microsoft OneDrive phishing email that began appearing in 2019 is making the rounds again. The Level5 IT team is receiving calls from both clients and colleagues about the scam, which affects business email accounts. Most troubling? Unlike most phishing emails, this one seems to send from genuine user email addresses instead of fake accounts with pseudonyms.

Despite the usefulness of the network file-sharing platform, OneDrive has been a constant target for phishing scams.

As a Microsoft certified partner and Office 365 / O365 cloud solutions provider, we’re letting users know about OneDrive scams. (As well as other IT phishing scams and IT security events we come across.)

What are OneDrive phishing scams?

Users of Microsoft’s OneDrive cloud hosting service are often targets of large-scale spam campaigns. These scams are designed to steal account passwords using the survey administration tool Google Forms.

An email arrives with a simple PDF file attached to a message from a seemingly- credible email address. However, instead of opening the PDF, a click takes the recipient to a site outside of OneDrive. Next, the site prompts the user to enter their Microsoft login credentials. The apparent credential-entry box is actually a carefully disguised Google Form. Entering your information allows the scammer to capture passwords and mine your accounts for data and sensitive information.

What is the 2021 OneDrive phishing email?

Like most phishing scams, these emails typically have a subject line that looks routine, such as ‘‘Invoice” or “Your Payment Confirmation.” Usually no further information appears in the body of the email, but the recipient may not think twice because they will see the usual OneDrive shared file design.

Clicking to open actually takes users to an authentic Microsoft OneDrive storage account with an uploaded image file.

This phishing email looks convincingly like a real OneDrive message

One of the options on the top of the OneDrive page gives is “download.”

A genuine email or a page with an attachment would not offer such an option. The alarming part of the scam is that the link and file placement are genuine. A check of the site certificate will show a genuine registration to onedrive.com. However, the entire page is actually an image, and clicking to download the attachment redirects users taken to an inauthentic site outside of the OneDrive domain, which has a login screen waiting to maliciously collect your sign-in information. The design looks so real that it’s easy to trick users long enough to get them to click.

An authentic version of this page would not have a download option available

What do I do about a OneDrive scam email?

The Level5 IT service team emphasizes the recommendation that you never reply to unsolicited emails or engage with emails from unverifiable sources. If you weren’t expecting to receive such an email from a known sender, reach out to that sender and confirm that they sent it prior to interacting with the message.

If you do engage with an unexpected message, avoid clicking on links, as they are likely to lead to sites that contain malicious software or attempts to steal your credentials. Remember that hovering over links with your mouse will allow you to preview the URL without clicking on it. Be mindful that URLs can contain slight variations meant to deceive you into recognition. Share this information with everyone inside your organization. Every team member that hasn’t received employee cybersecurity awareness training is an unlocked door into your business.

If you’re having trouble with phishing emails or any other IT security issues, or to get your employees set up for awareness training, reach out to Level5.


<strong><em>Level5 Management</em></strong> <strong><em>brings enterprise-level security solutions and managed IT services to SMBs across South Florida and the United States. From the legal industry to the healthcare sector and many professional service industries in between, Level5 protects your business from making the news for the wrong reasons. For a no-obligation <a href="https://www.level5mgmt.com/free-consultation/">network assessment and consultation</a>, call our Boca Raton cybersecurity experts at (561) 509-2077 or Livechat us on our website at <a href="https://www.level5mgmt.com/services/" target="_blank" rel="noreferrer noopener">level5mgmt.com</a></em></strong>