SOC Incident Toolkit
Back to Campaigns
Invoice to Identity How a OneDrive Phishing Campaign Tricked C Level Executives

Invoice to Identity How a OneDrive Phishing Campaign Tricked C Level Executives

OneDrivePhishingMicrosoftPhishingCLevelTargeting

This phishing campaign poses as OneDrive document shares with subjects like “Salary amendment.” The emails trick executives into clicking an “Open” button, which leads to a fake Microsoft login page that steals their credentials.

Indicators of Compromise

Domains (61)

jointcomet.comdocphaser.cominteractdocs.comsharedserve.comsharedsheet.comblenddocs.comdocutransit.comdocstackk.comsyncdocnotify.comlevitateo.comletzdoc.comsharinfile.comsparfile.comcandiddocs.comseamlessshare.combluedotshare.comfilealertsphere.comsidedocuments.comcolabwithme.comsquadsdocs.com+41 more

Notes

<div class="content-body"> <span class="content-title">CONCLUSION</span> <p class="content-description">The OneDrive phishing campaign highlights how threat actors continue to refine social engineering tactics to exploit trust in widely used platforms. By imitating document-sharing notifications and targeting executives, the attackers raise both the likelihood of credential theft and the potential impact on organizations. The use of Amazon SES, multiple domains, and adaptive email design makes detection harder, while the focus on HR and finance themes increases believability. The severity of this campaign is high, as successful compromises can enable unauthorized access to sensitive data, financial systems, and decision-making processes across sectors worldwide.</p> <p class="content-description">To stay ahead of such threats, security teams need layered defenses that include multi-factor authentication, strong email filtering, user awareness training, and continuous monitoring. Yet, even these measures may not be enough without proactive threat intelligence and attack surface visibility.</p> <p class="content-description">If you want to strengthen your organization’s resilience, explore the advanced modules on <a href="https://socradar.io/">SOCRadar.io</a>. Their solutions provide real-time phishing detection, digital risk protection, and threat intelligence feeds that help SOC teams identify, investigate, and respond to campaigns like this before damage occurs.</p> </div>

Mitigation

<div class="content-container"> <span class="content-title">T1566.001 Spearphishing Attachment</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1049">M1049</a></td> <td><a href="https://attack.mitre.org/mitigations/M1049">Antivirus/Antimalware</a></td> <td>Anti-virus can also automatically quarantine suspicious files.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1047">M1047</a></td> <td><a href="https://attack.mitre.org/mitigations/M1047">Audit</a></td> <td>Enable auditing and monitoring for email attachments and file transfers to detect and investigate suspicious activity. Regularly review logs for anomalies related to attachments containing potentially malicious content, as well as any attempts to execute or interact with these files. This practice helps identify spearphishing attempts before they can lead to further compromise.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1031">M1031</a></td> <td><a href="https://attack.mitre.org/mitigations/M1031">Network Intrusion Prevention</a></td> <td>Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1021">M1021</a></td> <td><a href="https://attack.mitre.org/mitigations/M1021">Restrict Web-Based Content</a></td> <td>Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1054">M1054</a></td> <td><a href="https://attack.mitre.org/mitigations/M1054">Software Configuration</a></td> <td>Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1018">M1018</a></td> <td><a href="https://attack.mitre.org/mitigations/M1018">User Account Management</a></td> <td>Apply user account management principles to limit permissions for accounts interacting with email attachments, ensuring that only necessary accounts have the ability to open or execute files. Restricting account privileges reduces the potential impact of malicious attachments by preventing unauthorized execution or spread of malware within the environment.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1017">M1017</a></td> <td><a href="https://attack.mitre.org/mitigations/M1017">User Training</a></td> <td>Users can be trained to identify social engineering techniques and spearphishing emails.</td> </tr> </tbody> </table> </div> <span class="content-title">T1566.002 Phishing: Spearphishing Link</span> <div align="left"> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1047">M1047</a></td> <td><a href="https://attack.mitre.org/mitigations/M1047">Audit</a></td> <td>Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1021">M1021</a></td> <td><a href="https://attack.mitre.org/mitigations/M1021">Restrict Web-Based Content</a></td> <td>Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1054">M1054</a></td> <td><a href="https://attack.mitre.org/mitigations/M1054">Software Configuration</a></td> <td>Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1018">M1018</a></td> <td><a href="https://attack.mitre.org/mitigations/M1018">User Account Management</a></td> <td>Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications.</td> </tr> <tr> <td><a href="https://attack.mitre.org/mitigations/M1017">M1017</a></td> <td><a href="https://attack.mitre.org/mitigations/M1017">User Training</a></td> <td>Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Use email warning banners to alert users when emails contain links from external senders, prompting them to exercise caution and reducing the likelihood of falling victim to spearphishing attacks. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.</td> </tr> </tbody> </table> </div> </div>