OneDrive & SharePoint Phishing

The NJCCIC has detected an increase in phishing attempts using Microsoft OneDrive and SharePoint. Attackers attempt to steal a victim’s account credentials using a legitimate OneDrive login page, allowing it to bypass security protocols. A new social engineering tactic observed is that the threat actor, masquerading as a Microsoft employee, may call the victim while they are retrieving their multi-factor authentication (MFA), and ask to verify the authentication code. It is important to note that Microsoft will never call to verify this code. MFA is still a highly effective protective measure and should still be utilized. The only limiting factor is the person being influenced by social engineering. The threat actor then has control over the victim’s Office 365 account with the ability to view or manipulate files and send emails, continuing the phishing attack life-cycle. The NJCCIC highly recommends users avoid clicking on any links contained in suspicious emails. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. We advise users refrain from responding to the email, as the threat actor may have access. The NJCCIC encourages users who believe their account may have been compromised to send a screen shot of the suspicious email to, and notify their agency ISO, Email Admin, or Helpdesk to assist in remediating the issue.