← Back to Blog

Threat Research

OneDrive Spear Phishing by the Book: How a PDF Stager Breaks the Audit Trail

A textbook OneDrive spear phishing attack weaponized a compromised account to deliver a PDF stager that redirected to an AiTM credential-harvesting page. By disconnecting the phishing URL from the original email, the attacker broke the audit trail completely.

By ZeroBEC Team · February 23, 2026 · 7 min read

OneDrive Spear Phishing by the Book: How a PDF Stager Breaks the Audit Trail

ZeroBEC's AI-native detection engine flagged this attack for one of our customers. On the surface, it looked completely routine: J. Owens at Hutchens Industries, a domain the customer's organization communicates with regularly, shared a file via OneDrive. A legitimate sender, a legitimate platform, a legitimate link. But behind the familiar interface was a textbook OneDrive spear phishing playbook, executed step by step.

The Kill-Chain

Step 1: The Trusted Email

OneDrive sharing email from J. Owens
Figure 1:The victim receives a OneDrive file-sharing notification from J. Owens at Hutchens Industries, a known and trusted contact

The attack begins with a genuine OneDrive sharing notification sent from [redacted]@hutchensindustries.com. The email states that J. Owens has shared a file called "Hutchens Industries, Inc." and includes a note: "This link only works for the direct recipients of this message." This is not a spoofed email. The attacker has already compromised J. Owens' account and is using it to send targeted, one-to-one file shares to specific victims.

Step 2: The Legitimate OneDrive Page

OneDrive identity verification page
Figure 2:The OneDrive verification page on hutchensindustries-my.sharepoint.com sends a one-time code to the victim's email for identity verification

Clicking "Open" in the email takes the victim to hutchensindustries-my.sharepoint.com, a legitimate Microsoft domain belonging to Hutchens Industries. As soon as the page loads, a one-time verification code is sent to the victim's email. The victim enters this code to prove their identity and access the shared file. This is a standard Microsoft secure sharing practice, which makes the interaction feel entirely normal and trustworthy.

Step 3: The PDF Stager

PDF stager with VIEW DOCUMENT link
Figure 3:The downloaded PDF serves as a stager, presenting a "VIEW DOCUMENT" link that redirects to the actual phishing page

After verification, a PDF file is downloaded: "Hutchens Industries, Inc..pdf". The PDF is deliberately minimal. It states the document has been shared and includes a prominent red "VIEW DOCUMENT" link. This PDF is not the payload. It is the stager: a stateless intermediary whose sole purpose is to disconnect the phishing URL from the original email.

Step 4: The Credential Harvest

Fake Microsoft sign-in page
Figure 4:Clicking "VIEW DOCUMENT" in the PDF redirects to a fake Microsoft sign-in page hosted on a malicious domain

Clicking "VIEW DOCUMENT" opens a browser tab to a malicious domain disguised as a Microsoft sign-in page. The URL is clearly not Microsoft (hosted on goufreatra[.]dev), but the page is a pixel-perfect replica of the real sign-in flow. This page supports Adversary-in-the-Middle (AiTM) session hijacking: it proxies the victim's credentials to the real Microsoft login, captures the authenticated session token, and bypasses MFA entirely.

Why This Attack Is So Effective

  1. The sender is real and trusted: The email comes from a compromised account at a domain the victim's organization communicates with regularly. No spoofing, no look-alike domains. Email authentication (SPF, DKIM, DMARC) all pass.
  2. The OneDrive link is on a legitimate Microsoft domain: The URL points to hutchensindustries-my.sharepoint.com. URL scanners, email gateways, and safe-link rewriting all see a clean Microsoft URL. There is nothing to block.
  3. The identity verification adds false confidence: The standard Microsoft one-time code verification feels like a security measure. It is also an anti-analysis measure: the code is sent only to the targeted victim's email, preventing security sandboxes and analysts from retrieving the payload.
  4. The link is scoped to one recipient: By sharing the file with only the intended victim, the attacker ensures that automated detonation chambers and SOC analysts cannot simply click the link to investigate. The file-sharing scope is a deliberate evasion technique.
  5. The PDF stager breaks the audit trail: This is the most critical element. The phishing URL does not exist in the email. It does not exist on the OneDrive page. It exists only inside the downloaded PDF, which the victim opens in a local application. The moment the victim clicks "VIEW DOCUMENT" in the PDF, the attack leaves the email ecosystem entirely and moves to a browser session that has no connection to the original email event.

The Audit Trail Gap

This is where most security tools lose visibility. Here is what happens to the audit trail at each stage:

The gap between the PDF click and the credential harvest can be seconds or minutes, but the security team has zero visibility into this phase. The attacker only gains access once the victim enters their credentials on the phishing page and completes MFA. From that moment, the attacker holds a valid session token, yet the audit trail remains dark until they use it to access the victim's mailbox, which can happen hours or even days later.

Why Behavioral AI Is the Answer

Traditional email security is designed to inspect emails. It looks at sender reputation, URL reputation, attachment signatures, and header anomalies. In this attack, every one of those signals is clean. The email is legitimate. The URL is legitimate. The attachment is a PDF with a hyperlink. There is nothing for a gateway to catch.

This is exactly the scenario ZeroBEC is built for. Instead of relying on inspecting the email, ZeroBEC implements behavioral analysis on the user principal:

Recommendations (Prioritised)

  1. Treat all file-sharing notifications from external organizations as potentially compromised, even from known and trusted contacts.
  2. Implement conditional access policies that restrict OneDrive/SharePoint external sharing and require additional verification for cross-tenant file access.
  3. Train users: if a PDF asks you to click "VIEW DOCUMENT" via a link, it is almost certainly a phishing stager. Legitimate shared documents do not require downloading a PDF to view them.
  4. Deploy phishing-resistant MFA (FIDO2 security keys, passkeys) to neutralize AiTM attacks. Token theft does not work when the authentication is bound to the origin.
  5. Monitor for anomalous mailbox behavior post-authentication: unusual login locations, timing shifts, rapid email enumeration, inbox rule creation, and mail forwarding changes.
  6. Deploy ZeroBEC for continuous behavioral analysis and instant detection of compromised accounts. ZeroBEC works alongside your existing email gateway with no MX record changes and deploys in under 60 minutes.

Bottom Line

This attack is a playbook execution of one-to-one spear phishing: a targeted victim, a trusted sender, a legitimate platform, and a stateless PDF stager that severs the connection between the phishing URL and the original email. Traditional email security never sees the malicious URL because it never appears in the email.

The only way to detect this class of attack is to monitor what happens after the attacker logs in. Behavioral analysis on the user principal, tracking anomalies in time, location, activity bursts, and mailbox behavior, is the difference between catching the attacker in hours and discovering the breach months later.

At ZeroBEC, our AI-native platform closes the audit trail gap. We detect compromised accounts by the way they behave, not by the email that started the compromise.

Ready to see how ZeroBEC protects your organization? Start free or contact us.