- Project OneDrive Phishing Detection
- Company Merabytes
- Sector Industrial
- Date : 07 August, 2025
- Duration Real-time detection
Real case: Industrial sector company victim of OneDrive B2B phishing (client name omitted for confidentiality)
Key points
| Date/Phase | Event |
|---|---|
| Day 1 - First contact | Attacker (“Cizmesija” from Croatia) sends a well-written email requesting a catalogue and pricing. Builds trust using professional industry language. |
| Day 1 - Legitimate response | Sales team responds with interest, providing information and requesting additional details to customize the offer. |
| Day 2 - Hook delivery | Attacker responds with an apparently OneDrive link: visible text shows “onedrive.live.com” but the actual link points to “onedrive-rusty-craves.surge.sh”. |
| Fake page | Fraudulent domain redirects to an interface that simulates OneDrive with fake documents (Purchase.pdf, Specification.xlsx, Drawings_sketches.png, Presentation.mov). |
| Credential capture | Clicking on any document displays a modal requesting corporate credentials with email pre-filled (URL “e” parameter). |
| Potential compromise | If the victim enters credentials, the attacker gains access to corporate accounts (email, real OneDrive, SharePoint, Teams, etc.). |
In recent weeks we have detected an increase in phishing campaigns (B2B attacks), using fake OneDrive links as the initial vector. In this article we document a real case that affected a company in the industrial sector, in order to help other organizations identify and block this type of threat.
Attack flow
Step 1: First contact - commercial interest email
The attacker presents as Cizmesija, supposedly from Croatia, requesting a catalogue and pricing for products. The message is well-written and adapted to the sector, which builds trust:
Hello,
This is Čižmešija from Croatia,
We kindly request your best pricing and Catalogue for your products.
We also want to know if you can deliver to Croatia Rijeka, for this information is crucial for us before we send our PO.
Thank you for considering our inquiries. We eagerly await your prompt response.
Kind regards
Ž. Čižmešija
Mac Globals Inc
+385 91 224 7000
Svilarska 20; Emera d.o.o.,
48000 Koprivnica, Croatia.
Email= info@macglobals.com
Email= Info.macglobals@gmail.com
Objective: Gain the trust of the sales team so that the conversation continues.
Step 2: Legitimate response from the victim
The sales team of the industrial company, interested in the potential sale, responds with a proposal and additional questions to customize the offer.
Step 3: Delivery of the malicious link
The attacker responds quickly, this time including an apparently legitimate link to OneDrive:
https://onedrive.live.com/PO/en-us/cloudstoragefiles/fileaccess/Macglobal/
However, this text masks the actual link:
https://onedrive-rusty-craves.surge.sh/index.html?e=email@victim.xx
This domain redirects to a fraudulent page that simulates the OneDrive interface and requests corporate credentials.
Step 4: Elements that reveal the fraud
- Difference between visible and actual link: the text appears to be from OneDrive, but the link points to an external domain (surge.sh). Hovering over the link reveals the actual destination.
- Commercial urgency: a quick quote is requested to force opening the link without verification.
- Trust chaining: the attacker first generates a conversation so that sending the link appears to be part of a legitimate business process.
Example of the shared malicious resource
In the detected campaign, the link simulated a shared OneDrive folder with documents such as:
- Purchase.pdf
- Specification.xlsx
- Drawings_sketches.png
- Presentation.mov
Clicking on any of these items displayed a pop-up modal requesting user credentials, with the email field pre-filled (URL “e” parameter).
How our Adversary-Aware SOC would have prevented this attack
Our Adversary-Aware SOC is designed to identify and neutralize sophisticated B2B phishing campaigns like this one:
| Merabytes Defense Area | How our SOC would have acted | Result obtained |
|---|---|---|
| Email link analysis (URL rewriting and sandboxing) | Detection of discrepancy between visible link text and actual URL. The link points to “surge.sh” instead of the official OneDrive domain. | Automatic blocking of the email before reaching the inbox. |
| Identity protection (Cisco Duo 2FA) | Even if credentials are stolen, access to corporate services requires a second authentication factor. | Stolen credentials are useless without 2FA. |
| Email behavior monitoring | Detection of suspicious pattern: initial commercial contact quickly followed by an external link for download. | Early alert to the security team before compromise. |
| Suspicious domain filtering | Automatic blocking of generic hosting domains (surge.sh, netlify.app, etc.) used in phishing campaigns. | Prevention of access to credential capture pages. |
| B2B phishing pattern analysis | Detection of social engineering techniques: trust building + commercial urgency + external link. | Campaign identification before multiple victims. |
| Continuous training and simulations | Regular training on B2B phishing with real examples of targeted attacks against the sector. | Alert users who verify links before clicking. |
Thanks to the adversary-focused mindset, our SOC understands B2B social engineering tactics and does not rely solely on technical indicators, but analyzes the complete communication context to identify sophisticated phishing attempts.
Lessons learned
- B2B attacks are increasingly sophisticated. Attackers research the sector and adapt their messages to build trust.
- Visual link verification is not enough. Users must hover over links to see the actual destination.
- Commercial urgency is a common tactic. Requests for quick quotes seek to force decisions without verification.
- 2FA is critical. Even if credentials are stolen, the second factor prevents access.
Conclusion
This attack was successful in multiple companies because there was no email behavioral analysis or identity protection with 2FA. With Merabytes, the story would have ended differently:
- The fraudulent link would have been detected by the discrepancy between visible text and actual URL.
- The surge.sh domain would have been automatically blocked.
- Even if credentials had been stolen, 2FA would have prevented access.
- The sales team would have received training on B2B phishing tactics.
Additional recommended measures
This attack is an example of spear phishing that exploits B2B social engineering to overcome usual defenses.
- Always verify the actual domain before opening links, even if they appear to be from known services like OneDrive.
- Implement anti-phishing filters (such as N-Able Mail Assure) that inspect links and detect discrepancies between the text and the actual URL.
- Train sales teams to recognize urgency and trust tactics used by attackers.
- Enable MFA (Multi-Factor Authentication) on all corporate accounts to reduce the impact in case of credential theft.
If you want to protect your company from this type of threat before it reaches the inbox, visit merabytes.com and request access to our advanced email filtering and analysis service + identity protection with 2FA. We block phishing campaigns, malware, and identity spoofing even before they are visible to users, drastically reducing the risk of compromise.
Frequently asked questions
An Adversary-Aware SOC goes beyond traditional security monitoring by understanding attacker tactics, techniques, and procedures (TTPs). We proactively hunt for threats using MITRE ATT&CK framework, behavioral analysis, and threat intelligence to detect attacks that bypass conventional security controls.
Traditional security tools focus on known signatures and indicators. Our behavioral detection analyzes anomalies in user activity, email patterns, network traffic, and system behavior to identify sophisticated attacks that use legitimate tools or bypass authentication controls. This caught the attacks in these case studies before significant damage occurred.
Our SOC operates 24/7 with real-time monitoring and automated response capabilities. Critical alerts trigger immediate investigation and containment actions within minutes. We provide continuous threat hunting, forensic analysis, and coordinated incident response to minimize impact and prevent lateral movement.
We combine global threat intelligence feeds with our own research from real incidents. Every attack we analyze contributes to our detection rules and IOC database, which is immediately shared across all protected environments. This means if we see a new attack pattern targeting one client, all clients are automatically protected within hours.
Absolutely. Our SOC integrates with your existing EDR, XDR, SIEM, firewalls, email security, and identity protection tools. We enhance their effectiveness by correlating events across all sources, applying adversary-aware detection logic, and providing expert human analysis that automated tools alone cannot achieve.