Phishing via Compromised OneDrive

A recent trend in phishing attacks has been to use the victims OneDrive account to upload malicious content to, and then send out emails to contacts the victim has exchanged emails with before, and to use the same subject line, but with the content replaced with an email design intended to spoof the kinds of links to files which are now common ways of exchanging information.

One example of an email like this is below, where this was the whole content of the email recieved by the target:

In this case, the email contains 2 links, the first (shown hovering over the “32 kb” part of the email is a link to a previous victim’s OneDrive, which is genuinely hosted on  The main link is a new link which points to a new file uploaded to the compromised account’s OneDrive, which is a PDF.  The contents of the PDF is as below:

The link in the PDF is to a faked Microsoft login page to capture the user credentials and ensnare another victim.

This particular attack used the credentials gathered to try to immediately access very sensitive services in Microsoft Office365/Azure along with Skype for business, Office 365 and Exchange.  The compromise used these credentials to upload the malicious PDF to a new victim’s OneDrive, and used the email access to send out the next wave of phishing emails.

Other varients of a similar nature have used similarly simple looking emails containing only a link to malicious content hosted on SharePoint, which makes blocking the content more difficult.

It remains vital for users to be wary of ALL links in emails and the check their destination carefully, but this latest varient now also means the link may be entirely valid and to legitimate content hosted in the organisations own SharePoint instance after being uploaded to a compromised users OneDrive which makes it even more difficult for users to identify legitimate emails sharing content from phishing emails.

So far, we have not seen varients of this attack which accurately spoof the real microsoft format for sharing links via email, but users must not assume that content which looks like a legitimately shared link is trustworthy either as this seems only a matter of time.

What exactly is malware?


What does Malware mean?

Malware, short for malicious software, is a piece of code considered to be annoying or harmful that tries to infect a computer, phone or tablet. Hackers use malware for a variety of illegal purposes, most of which involve stealing the passwords that can gain access to your money or intellectual property, extracting sensitive information, or preventing users from having access to their device.

What is Malware

In terms of variety, malware is actually an umbrella term used to consolidate a range of malicious software. Malware can be installed by opening infected documents (such as .pdf files or macros embedded within Word or Excel for example).
Below are a few examples of the most common types of malware, followed by some information on what exactly they are and how they affect your device.




A computer virus is a piece of code that is installed onto your computer without your knowledge or permission. Some viruses are merely annoying, but most viruses tend to be destructive and are designed to infiltrate, infect and gain control over the system. A virus can spread across computers and connected networks by making copies of itself, replicating how a biological virus passes from person to person, infecting on the go.




Spyware is a type of malware that collects a variety of information about you and your computer system. This information could be your internet browsing history, computer usage habits, or even personal information such as credit card numbers and account details, including passwords. All the gathered information is then often passed through the internet to third parties without you knowing.




Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by encrypting the users’ files; using a key that you don’t have until a ransom is paid. In recent years, ransomware has evolved and produced a new variant to its family, collectively known as crypto-ransomware. This new strain encrypts certain file types on infected systems and allows users’ to recover their files with a decryption key that requires the payment of the ransom through online payment methods.

A recent article on ‘ransomware as a service’ was published, as growth in this area is currently rocketing. Check out the blog post here.

How to protect your devices?

Most modern anti-malware products (free or paid for) will provide a sufficient level of protection against viruses and malware in general, but they need to be installed and running to be effective.

Spyware and Ransomware often are installed without your knowledge after clicking on links (either Phishing Emails or poisoned adverts on websites) – so if you remain savvy as to what a Phishing Email looks like and check the target address of links before clicking – you are already protecting yourself.

Further information on how to protect your data is available on the Information Security site (

Information Security Week

Monday 31st October through to Friday 4th November is the first Information Security Awareness week at Plymouth University.

The Enterprise Security team have been busy preparing materials focussing on a series of topics that can affect everyone and their use of technology. It also provides guidance on how to protect both your personal and work based information.

The team will be available for questioning in the Roland Levinsky Building between 1pm and 2pm on Monday, Tuesday and Friday and will be located in the Library between 1pm and 2pm on Wednesday and Thursday.

The dedicated site is at the following location: Information Security

Hopefully you will find something useful in the content and if you have any questions, come along and ask them in person.