
Invoice to Identity How a OneDrive Phishing Campaign Tricked C Level Executives
OneDrivePhishingMicrosoftPhishingCLevelTargeting
This phishing campaign poses as OneDrive document shares with subjects like “Salary amendment.” The emails trick executives into clicking an “Open” button, which leads to a fake Microsoft login page that steals their credentials.
Indicators of Compromise
jointcomet.comSOCRadar2025-10-08
docphaser.comSOCRadar2025-10-08
interactdocs.comSOCRadar2025-10-08
sharedserve.comSOCRadar2025-10-08
sharedsheet.comSOCRadar2025-10-08
blenddocs.comSOCRadar2025-10-08
docutransit.comSOCRadar2025-10-08
docstackk.comSOCRadar2025-10-08
syncdocnotify.comSOCRadar2025-10-08
levitateo.comSOCRadar2025-10-08
letzdoc.comSOCRadar2025-10-08
sharinfile.comSOCRadar2025-10-08
sparfile.comSOCRadar2025-10-08
candiddocs.comSOCRadar2025-10-08
seamlessshare.comSOCRadar2025-10-08
bluedotshare.comSOCRadar2025-10-08
filealertsphere.comSOCRadar2025-10-08
sidedocuments.comSOCRadar2025-10-08
colabwithme.comSOCRadar2025-10-08
squadsdocs.comSOCRadar2025-10-08
karrofile.comSOCRadar2025-10-08
signifile.comSOCRadar2025-10-08
baccatelo.comSOCRadar2025-10-08
filersharing.comSOCRadar2025-10-08
documentreplublic.comSOCRadar2025-10-08
bizchrod.comSOCRadar2025-10-08
quotadocu.comSOCRadar2025-10-08
docutug.comSOCRadar2025-10-08
hr-fildoc.comSOCRadar2025-10-08
foliodocs.comSOCRadar2025-10-08
ventordocs.comSOCRadar2025-10-08
docsinsertio.comSOCRadar2025-10-08
suprshare.comSOCRadar2025-10-08
casualdocs.comSOCRadar2025-10-08
spdocsync.comSOCRadar2025-10-08
seenfile.comSOCRadar2025-10-08
fileagenda.comSOCRadar2025-10-08
pingarchive.comSOCRadar2025-10-08
notifydocshub.comSOCRadar2025-10-08
documentmagnet.comSOCRadar2025-10-08
unfolddocs.comSOCRadar2025-10-08
collabeam.comSOCRadar2025-10-08
doculibr.comSOCRadar2025-10-08
vivedocs.comSOCRadar2025-10-08
filecomrade.comSOCRadar2025-10-08
mergepads.comSOCRadar2025-10-08
shareinsync.comSOCRadar2025-10-08
grouperdocs.comSOCRadar2025-10-08
filershare.comSOCRadar2025-10-08
onpointcollab.comSOCRadar2025-10-08
documentsforall.comSOCRadar2025-10-08
stratusedit.comSOCRadar2025-10-08
pipelinedocs.comSOCRadar2025-10-08
paneldocument.comSOCRadar2025-10-08
mysharedfiling.comSOCRadar2025-10-08
outzanycy.comSOCRadar2025-10-08
docleash.comSOCRadar2025-10-08
takshare.comSOCRadar2025-10-08
huddledoc.comSOCRadar2025-10-08
documentpocket.comSOCRadar2025-10-08
wesharedocs.comSOCRadar2025-10-08
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
T1566.001 Spearphishing Attachment
T1566.002 Phishing: Spearphishing Link
T1204 User Execution: Malicious Link
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content | Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software. |
| DS0022 | File | File Creation | Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. |
| DS0029 | Network Traffic | Network Traffic Content | Monitor for clicks on phishing links leading to credential harvesting, traffic to newly registered or suspicious domains, hidden redirect chains embedded in phishing emails, or downloads of secondary payloads from phishing domains. |
T1566.002 Phishing: Spearphishing Link
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0015 | Application Log | Application Log Content | Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can help detect links leading to known malicious sites. |
| DS0022 | File | File Creation | Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). |
T1204 User Execution: Malicious Link
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0029 | Network Traffic | Network Traffic Content | Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). |
Observed Countries8
AU (649)
DE (334)
FR (718)
GB (684)
IN (564)
NL (386)
SG (738)
US (661)