Table of Contents
A document-share notification is the one email almost nobody hesitates over. A colleague shares a file, a familiar service sends the alert, you click to view it. The chief financial officer at a consumer-goods organization had no reason to treat this one differently. The subject line read like a routine system notice. The body announced, in plain OneDrive styling, that a file had been shared and was ready to access securely.
OneDrive is Microsoft's cloud file-storage service, part of the Microsoft 365 (M365) productivity suite that runs email and documents for millions of businesses. A share notice from it is background noise in a finance executive's day. That familiarity was the entire point.
A File Is Waiting For You
The email opened with a single word in large type: "Onedrive." Below it, a greeting, the recipient's own address echoed back, and one line of instruction inviting them to click to access the document. A blue "AccessFile" link sat in the middle of the message. Everything about the layout said legitimate cloud collaboration.
Then came the part designed to close the deal. Underneath the share notice ran a long, fabricated reply chain. It read like an internal compliance discussion, complete with invented internal personas trading messages about a quarterly review, file permissions, and which folder the final version belonged in. The thread gave the lure context and weight. To a busy executive, it looked like the back end of a conversation already in motion, with this share notice as the natural next step.
Attackers aim document-share lures at the people who approve payments and hold the keys to financial systems, because a single harvested credential there unlocks far more than an inbox. According to the FBI's 2024 Internet Crime Report, business email compromise remains among the costliest cybercrime categories, and credential theft is the door it walks through.
What The Banner Tried To Warn
There was one honest signal in the message, and it sat right at the top. A gray external-sender banner read: "You don't often get email from admin2@unrelated-domain[.]de."
That single line carried the whole case. A genuine OneDrive notification comes from Microsoft. This one came from admin2@unrelated-domain[.]de, a domain with no relationship to Microsoft, OneDrive, or the recipient's company. The brand the email claimed to be and the address it actually came from did not match.
Yet the message had cleared authentication cleanly. SPF (Sender Policy Framework, which checks whether a server is authorized to send for a domain), DKIM (DomainKeys Identified Mail, a cryptographic signature on the message), and DMARC (the policy layer that ties the two to the visible sender) all passed. The attacker had sent through a legitimate third-party email delivery service using a properly configured sending domain. Authentication confirmed the message was sent by authorized infrastructure. It said nothing about whether the content was truthful.
This is the gap that trips up the SEG, the legacy secure email gateway model that scores mail on authentication results, blocklists, and known-bad signatures. A clean SPF, DKIM, and DMARC pass plus a reputable delivery provider reads as trustworthy to that approach. The Verizon 2026 Data Breach Investigations Report found that stolen credentials feature in 39 percent of breaches across the kill chain, with phishing driving 16 percent of initial access. The infrastructure that delivers those attacks is increasingly clean.
A Days-Old Domain and a Broken Template
The "AccessFile" link did not point to OneDrive. It ran through a tracked redirector on the sender's own infrastructure, link.unrelated-domain[.]de, and landed on document.boomgodbold[.]co[.]uk. A WHOIS lookup showed that domain was registered on 2026-05-29, weeks before it arrived in this inbox. It was brand new.
That freshness is deliberate. Reputation systems score domains on history, and a domain with no history has nothing to flag. Attackers acquire domains specifically for this blind spot, a technique catalogued by MITRE ATT&CK as acquiring infrastructure, then pair it with a trusted-looking pretext to deliver a credential-harvesting page before defenses catch up. Microsoft's Digital Defense Report 2024 documents how heavily attackers lean on brand impersonation and short-lived infrastructure to stay ahead of reputation scoring.
But the most revealing detail was one the attacker never meant to send. Inside the fabricated reply chain, the phishing kit's personalization had broken. A merge field that should have inserted a clean name had failed to populate, smashing placeholder names and a domain together into malformed reply addresses. Raw template variables sat exposed in the body where finished text should have been. The kit had pasted a generic thread template, the variables never resolved, and the broken output shipped exactly as the automation produced it.
See Your Risk: Calculate how many threats your SEG is missing
It was the digital equivalent of a forger leaving the printer's registration marks on a fake document. The polished OneDrive styling and the patient reply chain were undone by one unfilled field. That artifact, more than anything else, declared this an automated mass-phishing send rather than a real internal exchange.
Why Behavior Caught What Reputation Missed
A blocklist had nothing to catch here. The sending domain was authenticated, the delivery service was reputable, and the payload domain was too new to carry a reputation at all.
What flagged the message was behavior, not a signature. The detection layer weighed the mismatch between the OneDrive brand and the unrelated-domain[.]de sender, the prior history of this same display name arriving from a different unrelated domain, the freshly registered destination, and the language patterns that matched known phishing campaigns. Read together, those signals named the message for what it was. It was routed to quarantine and, within a day, mitigated before the credential page ever loaded. This is the difference Adaptive AI makes, and where Themis, the agentic AI SOC analyst, reasons across signals a static gateway evaluates in isolation.
What Authentication Never Asked
Authentication is a fact about delivery, not a verdict on intent. A message can pass SPF, DKIM, and DMARC and still be a lie about who sent it. Brand-to-domain mismatch is the question that authentication never asks.
Domain reputation has a built-in lag, and attackers live inside it. A destination registered weeks before an attack is a feature of the attack, not an accident.
Document-share notifications are among the most clicked emails in any organization, which makes them a favored credential-harvest wrapper. Verify share invitations inside the platform, not from the email link, and treat external-sender banners on file-access requests as a hard stop.
The strongest defense evaluates behavior and content, not just headers. Protecting high-value finance and executive mailboxes calls for credential-harvesting protection and M365 augmentation that read the whole message, because the next attacker may not leave a broken template behind to give the game away.
Indicators Of Compromise
| Type | Indicator | Context |
|---|---|---|
| Sender address | admin2@unrelated-domain[.]de | "WorkManager" display name impersonating OneDrive |
| Redirector | link.unrelated-domain[.]de | Tracked redirect on sender infrastructure |
| Payload domain | document.boomgodbold[.]co[.]uk | Registered 2026-05-29, credential-harvest landing page |
| Impersonated brand | Microsoft OneDrive | File-share notification pretext |
| Kit artifact | Unfilled merge field / exposed template variables | Malformed reply addresses; automated mass-phishing tell |
MITRE ATT&CK techniques: T1566.002 (Phishing: Spearphishing Link) and T1583.001 (Acquire Infrastructure: Domains).
Explore More Articles
Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.