New Phishing Attack Via OneDrive Attacking C-level Employs for Corporate Credentials

A sophisticated spear-phishing campaign has emerged targeting senior executives and C-suite personnel across multiple industries, leveraging Microsoft OneDrive as the primary attack vector.

The campaign utilizes carefully crafted emails masquerading as internal HR communications about salary amendments to trick high-profile targets into surrendering their corporate credentials.

This latest threat represents a concerning escalation in social engineering tactics, combining personalized content with advanced evasion techniques to bypass traditional security measures.

The attackers employ a methodical approach, beginning with “warming up” recipient inboxes by sending benign preliminary emails days before launching the actual phishing attempt.

The malicious emails feature subject lines containing “Salary amendment” or “FIN_SALARY” references and appear as legitimate OneDrive document-sharing notifications.

Each message is meticulously customized with the recipient’s name and company details, significantly enhancing the campaign’s credibility and likelihood of success.

Stripe OLT analysts identified this campaign while monitoring threat landscape activities, discovering that attackers are utilizing Amazon Simple Email Service (SES) infrastructure for delivery while rotating through approximately 80 different domains and subdomains to evade detection.

The phishing infrastructure spans multiple service providers, including Cloudflare for DNS services, Akamai Cloud for hosting, and primarily Mat Bao Corporation for domain registration, demonstrating the campaign’s sophisticated operational security approach.

Advanced Evasion Techniques

The campaign employs particularly clever anti-detection mechanisms that exploit email client display differences. When viewed in standard light mode, email buttons appear as innocuous “Open” and “Share” labels.

However, switching to dark mode reveals concealed padding containing randomized alphanumeric strings such as “twPOpenHuxv” and “gQShareojxYl” that fragment high-value trigger words, effectively circumventing string-based detection rules employed by secure email gateways.

The credential harvesting page presents a convincing Microsoft Office/OneDrive login interface that requests authentication details under the pretense of accessing a secure salary document.

These phishing URLs are designed for single-use access, automatically self-destructing after being visited to eliminate forensic evidence and complicate incident response efforts.

Security teams can implement targeted hunting queries to identify potential compromise attempts.

The following KQL query can detect emails matching observed subject patterns:-

EmailEvents
| where Subject contains "FIN_SALARY"
| where EmailDirection == "Inbound"
| project Timestamp, RecipientEmailAddress, SenderMailFromDomain, Subject

Organizations should immediately block identified malicious domains including letzdoc.com, hr-fildoc.com, and docutransit.com while implementing enhanced awareness training specifically targeting executives and their administrative staff who remain primary targets for these sophisticated attacks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.