A few weeks ago, I received what appeared to be a routine document-sharing notification. The email appeared to come from a former client and invited me to review a file through Microsoft OneDrive. At first glance, the message looked legitimate. It referenced a real business relationship, used familiar branding, and contained the type of request that many professionals receive every day.
Something felt wrong.
I was not expecting any documents from this client, and several subtle indicators suggested that the email might not be genuine. Rather than opening the link, I contacted the business owner directly.
A few days later, they confirmed my suspicion. The email had not been sent by their organization. Unfortunately, by the time the issue was identified, numerous employees, vendors, and customers had already clicked the malicious link.
This scenario is becoming increasingly common. Modern phishing campaigns no longer rely on poorly written emails from unknown senders. Today’s attackers exploit trust, familiarity, and widely used cloud platforms to increase their chances of success.
This article examines how these attacks work and why organizations of all sizes should be paying attention.
The evolution of phishing
Traditional phishing attacks were often easy to spot. Messages contained spelling mistakes, suspicious attachments, or requests from unknown individuals claiming to be foreign royalty or lottery officials.
Modern attackers have become significantly more sophisticated. Instead of impersonating banks or government agencies, many attackers now impersonate trusted business contacts, suppliers, customers, and cloud collaboration platforms. Their goal is simple: create an interaction that appears completely normal within the victim’s daily workflow.
A document-sharing invitation is one of the most effective examples. Employees receive legitimate OneDrive, SharePoint, Dropbox, and Google Drive notifications every day. As a result, a request to review a document rarely triggers suspicion.
Attackers understand this and design their campaigns accordingly.
How a OneDrive phishing attack typically works
While specific attacks vary, most follow a similar process.
- Stage 1: Reconnaissance
Before sending a single email, attackers gather information about the target organization. Public sources such as company websites, social media profiles, press releases, professional networking sites, and business directories often reveal:
- Employee names
- Job titles
- Email formats
- Vendor relationship
- Customer relationship
- Technology platforms in use
This information allows attackers to create highly targeted messages that appear authentic.
- Stage 2: Impersonation
The attacker creates an email that appears to originate from a trusted individual or organization. Common examples include:
- Existing customers
- Suppliers
- Business partners
- Senior executives
- Human resources departments
- Project managers
The message may use similar-looking domains, display name spoofing, compromised third-party accounts, and cloud-hosted phishing infrastructure. The goal is not technical perfection, rather create enough credibility that recipients stop questioning the message.
- Stage 3: The document invitation
The victim receives a message such as: “I’ve shared a document with you.” or “Please review the attached proposal.” or “Updated contract available for review.” The message often includes Microsoft branding and a button that appears to link directly to OneDrive or SharePoint. Many users click automatically because the request appears routine.
- Stage 4: Credential harvesting
Instead of directing the user to a legitimate Microsoft login page, the link redirects through one or more intermediary websites before presenting a fake authentication page. The victim is asked to enter:
- Microsoft 365 credentials
- Email credentials
- Multi-factor authentication codes
- Additional personal information
Once submitted, the information is transmitted directly to the attacker. In some campaigns, users are redirected to the legitimate Microsoft login page afterwards, creating the impression that a temporary technical issue occurred.
The victim often never realizes their credentials were stolen.
Once access is obtained, attackers may:
- Access email communications
- Download documents
- Search for financial information
- Identify additional targets
- Launch further phishing campaigns
- Create forwarding rules
- Establish persistence within the environment
At this point, what began as a single click can evolve into a significant business incident. The victim often never realizes their credentials were stolen.
Why traditional awareness training often fails
Many organizations respond to phishing threats by conducting annual awareness training. While training remains important, it is not enough on its own.
The problem is not that users are careless. It’s that attackers deliberately exploit legitimate business processes. Employees are expected to open documents, collaborate with external partners, review contracts, and respond to customer requests. Modern phishing attacks blend into these normal activities. The victim is not ignoring security guidance. They are performing their job exactly as expected.
This is why organizations must combine user awareness with technical controls, monitoring, and incident response capabilities.
Warning signs that should raise suspicions
Although these attacks are becoming increasingly convincing, several indicators often remain visible.Consider additional verification if:
- You were not expecting a document
- The sender rarely communicates with you
- The request creates urgency
- The link destination doesn't match the displayed text
- The email contains unusual formatting
- The message arrives outside normal business processes
- The sender's domain differs from previous communications
Perhaps the most important indicator is intuition. If something feels unusual, verify through a separate communication channel before clicking. A quick phone call or independent email may prevent a significant security incident.
The business impact
Organizations often underestimate the consequences of a successful phishing campaign. The impact can extend far beyond a single compromised account. Potential consequences include:
- Business email compromise
- Data exposure
- Financial fraud
- Vendor compromise
- Customer compromise
- Reputational damage
- Regulatory reporting obligations
- Incident response costs
In the scenario described earlier, the risk was not limited to one company. Employees, vendors, and customers were all potentially exposed.
This is one of the defining characteristics of modern phishing campaigns: they frequently spread through trust relationships.
Where professional investigation adds value
When phishing activity is identified, organizations often focus exclusively on password resets and technical remediation. These actions are necessary, but they answer only part of the problem.
Organizations should also understand:
This is where cyber investigation and OSINT capabilities can provide additional insight. Beyond containment, organizations benefit from understanding how the attack occurred, who may have been targeted, and whether broader exposure exists across their business ecosystem.
What's next?
Modern phishing attacks succeed because they exploit trust rather than technology alone.
The email itself may not contain malware. The website may appear professional. The sender may seem familiar. The request may look completely routine. The attack works because it leverages normal business behaviour.
In the next article, we will examine a question that many organizations struggle to answer: if employees receive security training every year, why do intelligent and experienced professionals still click?