Attack Spotlight: OneDrive Phishing Emails Lead to Credential Compromise

February 21, 2019
Aaron Jentzen

Proofpoint researchers have identified a trending phishing threat in which fraudulent emails invite recipients to view or download a document in Microsoft OneDrive, leading to credential compromise. Our latest Attack Spotlight, available now, provides free, timely content you can immediately share with your end users to help them avoid this attack.

These phishing emails contain links that take users to authentic-looking (but fake) OneDrive login pages designed to steal their login credentials. This attack is affecting numerous industries, and anyone can be a target.

Credential Compromise Attacks on the Rise

The OneDrive phishing campaign is part of a growing trend of credential compromise attacks. For our annual State of the Phish Report, we survey infosec professionals about the ways phishing attacks are affecting their organizations. This year, compromised accounts bypassed malware infections as the most commonly identified impact of successful phishing attacks. In 2018, 65% of those surveyed reported credential compromise — a 70% increase over 2017 and a 280% rise since 2016.

Credential compromise can be especially devastating for an organization, since attackers could use a single set of stolen credentials to access to a variety of corporate systems and sensitive content.

About Attack Spotlight

Each installment in our Attack Spotlight series highlights malicious tactics and lures that are being distributed at critical mass. We draw from Proofpoint’s world-class threat intelligence — which is based on analysis of billions of emails each day — and apply our security awareness training expertise to deliver actionable content that alerts infosec teams and end users to dangerous attack campaigns.

Each Attack Spotlight includes a two-minute awareness mini-module and a downloadable PDF that feature an example of an actual phishing email seen in the wild, and explain the current threat in non-technical terms. Our customers also have another way to use the content: Lures based on Attack Spotlight are also added to ThreatSim® as simulated phishing templates.

We release new Attack Spotlights as pressing threats are identified, which means the time between spotting a trending attack and informing end users can be reduced dramatically, from months to days. Since July, we’ve helped to arm users against new Emotet trojan, DocuSign phishing campaigns, and Microsoft Office 365 credential compromise attacks.

We encourage you to take advantage of this free, high-quality content and incorporate it into your security awareness training program. You can access all available Attack Spotlights — including the OneDrive phishing content — via our website.