Compromised, then Weaponized: Anatomy of a OneDrive Phishing Campaign

What it looks like when a compromised M365 account is used to send out OneDrive phishing lures to tons of other victims.

Tax Season + Accountants = Tons of BECs

Tax season and accounting firms are a match made in heaven for attackers who carry out business email compromise (BEC) attacks.

Everybody’s stressed, unsure, and eager to follow whatever their accountant tells them—especially if it sounds urgent or audit-related.

At Petra, we both detect attacks in real-time and help incident responders dealing with M365 incidents piece together the story.

This case came from one such IR—for a CPA firm, mid-tax season. The compromise went unnoticed until the attacker began using the accountant's account to phish others inside and outside the organization.

In some previous research, we covered someone falling for a OneDrive phishing AitM attack.

This post analyzes: how does an attacker use a victim’s account to launch a OneDrive phishing campaign?

Let’s dive in.

How the Phish Was Set Up

This attacker took deliberate steps to blend in:

• Created a folder named notebooks to stage phishing lures—low-profile, tucked away from top-level folders.

• Created a subfolder called ABC Cpa (anonymized) using the real company name to appear legitimate.

• Uploaded two lure files: ABC cpa.onetoc2 and ABC cpa.one, both modified shortly after being created.

• Changed sharing permissions on Notebooks/ABC Cpa, granting access to internal and external users—activating the phishing link.

Total setup time was ~ over an hour.

What it Looks Like in the Logs

Every step above leaves a trace in the SharePoint/OneDrive telemetry:

• FolderCreated: notebooks

• FolderCreated: ABC Cpa

• FileUploaded, FileModified: The phishing lure files, ABC cpa.onetoc2 and ABC cpa.one

• SharingInheritanceBroken, SharingSet: On the notebook, Documents/Notebooks/ABC Cpa. This was the phishing event.

  Note: Want more detail on these SharePoint events? Check out this previous piece.

Takeaway: You gotta look at it all.

Login events are just the tip of the iceberg.

• Phishing isn’t always email-based. OneDrive and SharePoint are increasingly co-opted by attackers for post-compromise phishing.

• Attackers blend in. They choose folder names, file types, and locations to avoid detection by the end user.

• You can see every step the bad guy takes (if you know where to look). If you're not parsing these events, you're missing how attackers move after compromise.

This phishing campaign was set up in just over an hour, and the SharePoint logs caught it all, frame by frame.

Tracking behavior with this level of granularity makes it a lot easier to catch the bad guys.

—

We’ll be at RSA. If you’re there and want to talk about M365 attacks, reach out to me on LinkedIn 👋