Call us on: 02920 887 362
Insights /

Microsoft OneDrive Scam Email

Microsoft OneDrive is a great way to share files across your network. However, it is constantly being targeted for phishing email scams.

Recently our engineers have spotted a recent phishing scam which has affected some business accounts. Worryingly, the scam seems to send from actual email addresses of users, rather than a fake email hiding behind a pseudonym.

We are always on alert to help protect our customers, but we feel this information could be extremely valuable to other Office 365 users. This scam is an example of a Phishing Attack which employs URL spoofing in it’s execution.

What can you do? Follow our steps and see what things you need to look out for!

What is this OneDrive phishing scam?

The scam is disguised as a simple PDF attached to an email. Yet instead of opening the PDF, you are taken to a site outside of OneDrive and asked to enter your Microsoft credentials (login information)

The email could have a normal subject line such as ‘Payment’ or ‘Invoice’ but will probably contain no information in the body of the email. This is because it is replaced with the OneDrive shared file design, like this:

First, the OneDrive sharing email appears

When the user clicks open, they are taken to the actual Microsoft OneDrive storage account of that user where an image file has been uploaded.

Opening the link takes you to a live file in a personal OneDrive location

If you look at the top of the page, OneDrive gives you the option to ‘download’ the file. If this was a genuine email or a page with an attachment. These options wouldn’t be available.

This is actually uploaded as an image, which is why you are given the option to download

What is worrying, is that the link and placement of this file are genuine. Our engineer checked the certificate and can see that the site issues to

Our Engineer checked the certificate to check the OneDrive site was legitimate

If the user, then clicks on the attachment (which isn’t a clickable button as the whole page is an image) the user is taken to a site outside of OneDrive. However, the design is very convincing…

Clicking the attachment (image) takes you to a Microsoft credential login page

The user is then displayed with a login screen, requesting the user’s credentials. If you look at the top of the page, the URL has now changed. And again, our engineer has reviewed the certificate of this webpage and can see that this is not a genuine OneDrive link.

Identifying the URL shows that this is now outside the OneDrive link location
Our engineer spotted that this site is outside of OneDrive, but has recently been registered

Having trouble with email spam and phishing dangers?

We’ve just released our new software ‘SecureIT’ – a platform that actively trains users on how to avoid phishing dangers and spot fake emails before they do damage to your organisation.

Visit our overview page here or watch our quick introductory video:

Next steps

If you do find yourself in a situation where you aren’t sure if a link is genuine or not. Do not hesitate to get in contact.

Contact us on 02920 887 362 or email

You might also be interested in:

A Quick Intro to Patching

What is patching? And why do IT people talk about it so much?

When should you outsource your IT?

The short answer, and the one you’d expect from an IT support provider, is as soon as you can. But there’s a bit more to it than that.

Excellence on Ice