OneDrive Phishing Attack Targets Corporate Executives for Credential Theft

A newly discovered spearphishing campaign is targeting executives and senior leadership across multiple industries by exploiting trusted OneDrive document‐sharing notifications.

The Stripe OLT SOC has identified this sophisticated attack, which leverages highly tailored emails to impersonate internal HR communications and harvest corporate credentials through a convincing Microsoft Office/OneDrive login page.

At the heart of the campaign are subject lines referencing “Salary amendment” or “FIN_SALARY,” designed to trigger concern and urgency among C-suite and leadership recipients.

Emails appear to originate from OneDrive’s document-sharing system, claiming that a shared file requires immediate review. When clicked, the embedded link directs victims to a credential theft page that perfectly mimics Microsoft’s Office 365 login interface.

Both the phishing email and the subsequent login page are customized with the recipient’s name and company details, lending an air of authenticity that fools even vigilant professionals.

Actors behind this ...