New Phishing Attack Via OneDrive Attacking C-level Employees for Corporate Credentials

A sophisticated spear-phishing campaign has emerged targeting senior executives and C-suite personnel across multiple industries, leveraging Microsoft OneDrive as the primary attack vector.

Stripe OLT analysts identified this campaign while monitoring threat landscape activities, discovering that attackers are utilizing Amazon Simple Email Service (SES) infrastructure for delivery while rotating through approximately 80 different domains and subdomains to evade detection.

The campaign employs particularly clever anti-detection mechanisms that exploit email client display differences. When viewed in standard light mode, email buttons appear as innocuous “Open” and “Share” labels. However, switching to dark mode reveals concealed padding containing randomized alphanumeric strings such as “twPOpenHuxv” and “gQShareojxYl” that fragment high-value trigger words, effectively circumventing string-based detection rules employed by secure email gateways.

To read the complete article see: New Phishing Attack Via OneDrive Attacking C-level Employees