The OneDrive phishing scam is particularly dangerous because of how insidious it is. A seemingly innocuous email shows up in your Inbox with a subject something like this, “Document for [your name].”  In the body of the email you see what looks like a familiar OneDrive notice about an available document that has been shared with you by someone you know. Upon clicking on the link or the folder you are forwarded to a familiar Microsoft 365 sign in box.

Microsoft 365 Authentication

You enter your email, which is accepted, and then you enter your password, which fails on the first attempt but succeeds on the second. You may end up at office.com or OneDrive but you don’t have access or you don’t see the shared document. At this point you may become suspicious but it’s too late. They now have your Microsoft 365 email and password. They can get into your email, send spam in your name, see/edit/delete your OneDrive files. If you have administrative privileges they can wreak even more havoc. How can you avoid this scam?

How to Vet Your Email Messages

Every email that appears in your Inbox should be vetted no matter if it’s from a friend or foe (see image below).

  1. Are you expecting this email?
  2. Check the “sender,” not just the name, but also the email address.
  3. Hover over (don’t click) all links. A bubble will appear with the link destination.

OneDrive Phishing Scam - what to do

Now you’re equipped with all the information you need. If this is not an expected email then do not click on anything and contact the sender to see if they actually sent you this message. If it is expected or typical for the sender still do steps 2 and 3 above. If either do not match then do not click on anything. You may still want to alert the sender so they can check to see if their email has been hacked.

Additional Steps

Multifactor authentication would completely prevent this type of attack. When your Microsoft 365 administrator activates multifactor authentication then each time you log into Microsoft 365 you are asked for a verification code via text or call. You might even use the Microsoft Authenticator app. This extra step thwarts scammers. Even if someone were to fall for this scam, and the scammer had their Microsoft 365 email and password, when the scammer tries using their credentials a text, call, or email would go to the real user for verification and that would stop the scammer in their tracks. It would also alert the user that their account has been compromised allowing them to take steps to change their password. I strongly recommend multifactor authentication.

The other usual steps are:

  1. Always keep your Windows OS up-to-date by activating automatic Windows updates.
  2. Keep your antivirus up-to-date and run frequent virus checks.
  3. Never ever give anyone your Microsoft 365 password and change it regularly.
  4. Listen to your gut. If it looks fishy (phishy) then delete it and call or text the sender

Online scams are on a meteoric rise. Diligence will keep you safe. Please be careful!