2021-09-28: Warning about fraudulent emails with SharePoint or OneDrive links

Hello all,

 

I wanted to send a notice about a specific type of fraudulent email.  The message comes through as a share notice from OneDrive or SharePoint.  The message looks like a normal share notice that you would receive from a colleague (if they use these tools to share files).

 

What should set off red flags about these emails are the following:

  • If the sender isn't someone you recognize
  • If the sender is someone you recognize, but not someone you are expecting such a message from.
  • If you had clicked on the link - if something seems off about the destination page.  Common red flags after clicking the link are:
    • Being brought to a login page
    • Being shown information about something you have nothing to do with
    • A nested link (by that I mean - once you click on the link, you are then brought to a page with another link to get the actual contents).

This is easier to see with examples.

The first screenshot is an example of this email.  It looks like a relatively innocuous message - but the sender's name (which I've blocked out for privacy) was completely unknown to the recipient.

Screenshot of a phishing message - containing a link that actually goes to a Microsoft site since they host their next stage on a compromised OneDrive account

The second screenshot shows the destination page.  It is within Microsoft OneNote - and contains a link to an "Invoice".  That is a common thing for cybercriminals to use to pique your curiosity.  They want you to click to see if it is a legitimate invoice for something that you or your department may have ordered.  

Note: Cybercriminals for some reason love to throw random copy write info at the bottom.  They think it makes their message look more authentic - but if you're used to noticing it like me it makes it scream FRAUD.

Screenshot of the OneNote destination page - with the fraudulent 'invoice' link

If you had received this - and clicked both the link in the email, and the link in this OneNote page - you would see a login page purporting to be from Microsoft.  The address of the site (which I've highlighted in the screenshot) has NOTHING to do with Microsoft.

Screenshot of the fake Microsoft login page, with the URL highlighted to show it isn't legitimate

 

Though they use different methods to do it - their end goal is pretty standard - getting you to give your username & password out.

Thank you to those who reported this!

 

Print Article