Fake OneDrive phishing email targeting corporate executives to steal Microsoft Office 365 credentials

A new spearphishing campaign is targeting corporate executives by sending fake OneDrive document-sharing emails with urgent subject lines like “Salary amendment” or “FIN_SALARY.” These emails impersonate internal HR messages and lead victims to realistic Microsoft Office 365 login pages designed to steal credentials.

Fake OneDrive phishing email targeting corporate executives to steal Microsoft Office 365 credentialsFake OneDrive phishing email targeting corporate executives to steal Microsoft Office 365 credentials

Attackers customize emails with recipients’ names and company details, making the scam highly convincing. They use Amazon SES and rotate dozens of domains to evade detection, employing obfuscation techniques and self-destructing links to avoid forensic tracing.

Because executives often receive many urgent messages, they may overlook warning signs, increasing the risk of credential compromise.

Fake OneDrive phishing email targeting corporate executives to steal Microsoft Office 365 credentialsFake OneDrive phishing email targeting corporate executives to steal Microsoft Office 365 credentials

How to Protect:

  • Train executives and assistants to verify suspicious HR-related links.
  • Encourage accessing documents only via official corporate portals.
  • Implement rapid reporting for suspicious emails.
  • Use technical controls to block malicious domains and monitor indicators of compromise.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security