New Phishing Attack Via OneDrive Attacking C-level Employees for Corporate Credentials

Cybersecurity

A spear-phishing campaign has been identified targeting senior executives and C-suite personnel across various industries, utilizing Microsoft OneDrive as the primary vector for attack.

The campaign involves emails crafted to appear as internal HR communications regarding salary changes, aiming to deceive high-profile targets into disclosing their corporate credentials.

This threat signifies an escalation in social engineering tactics, combining personalized content with advanced evasion techniques to bypass traditional security measures.

Attackers begin with sending benign emails to “warm up” recipient inboxes before launching the actual phishing attempts.

The malicious emails include subject lines such as “Salary amendment” or “FIN_SALARY” and mimic legitimate OneDrive document-sharing notifications.

Each email is customized with the recipient’s name and company details, enhancing the credibility and potential success of the campaign.

Stripe OLT analysts identified this campaign, noting the use of Amazon Simple Email Service (SES) for delivery and rotation through approximately 80 domains and subdomains to avoid detection.

The infrastructure includes multiple service providers, such as Cloudflare for DNS services, Akamai Cloud for hosting, and Mat Bao Corporation for domain registration, reflecting sophisticated operational security.

Advanced Evasion Techniques

The campaign uses anti-detection methods exploiting email client display differences. In light mode, email buttons appear as standard “Open” and “Share” labels, but in dark mode, hidden padding with randomized alphanumeric strings is revealed, helping bypass string-based detection rules used by secure email gateways.

The credential harvesting page mimics a Microsoft Office/OneDrive login interface, requesting authentication details under the guise of accessing a secure salary document.

The phishing URLs are designed for single-use, self-destructing after access to eliminate forensic evidence and complicate incident response.

Security teams can utilize targeted hunting queries to detect potential compromise attempts.

The following KQL query can identify emails with matching subject patterns:

EmailEvents
| where Subject contains "FIN_SALARY"
| where EmailDirection == "Inbound"
| project Timestamp, RecipientEmailAddress, SenderMailFromDomain, Subject

Organizations should block identified malicious domains including letzdoc.com, hr-fildoc.com, and docutransit.com, and implement enhanced awareness training for executives and administrative staff who remain primary targets for these sophisticated attacks.