OneNote Shared Folder Attack Phishing Scam

OneNote Shared Folder Attack Phishing Scam

OneNote Shared Folder Attack - John Smith shared the folder "John Smith business" with you.

Phishing attacks have been on the rise in recent years and have skyrocketed during COVID-19 lockdowns. With regular attempts happening from hackers trying to gain access to accounts via meticulously thought-out scams that look legitimate but turn out to be a phishing scam.

Here at HelpDesk Heroes we have recently seen a surge in a OneNote shared folder attack that are sent from compromised 'friendly' accounts that appear to be legitimate.

The OneNote desktop app on Windows is part of Office 2019 and Microsoft 365, and it can also be downloaded as a standalone app and used independently on any PC.

A closer look at a Shared Folder Attack

With so many UK businesses supporting staff working remotely, it is important to train users within in your organization who are vulnerable to these types of phishing attacks that could put your users and business at risk.

Firstly, let's take a look and compare it with a real mail.


How the shared folder attack works

The way this attack works is, a compromised account that you have communicated with in the past will send you a customised version of the above screen. This type of attack is trying to make you think that the email you receive is legitimate and from someone you know.

To lower your guard, it sends an email that looks exactly like an email you may have received before. In addition, it will be from someone you have communicated with in the past. This makes it more likely that you or your spamfilter have whitelisted the contact, so the email arrives in your inbox without a warning.

What makes it even harder to recognise as a phishing email, is if the compromised email account is from within your own business or organisation. The usual security warning normally attached to inform about the email originating from an external source, will not be shown.

This screen uses legitimate Microsoft icons to appear genuine, it then takes you through to a real OneNote share screen. This then links to the phishing site

But you can see, though similar, there are a few key differences. For example, look closely in the image examples below. You can see that the size of buttons as well as the style is slightly different.


How to spot a Shared Folder Attack Phishing Scam

Always remember to look at the links. This one of the first things to do when trying to spot a fake email. The “Read Document Online” goes to This url link isn’t safe or is it what would be expected for a Microsoft document.

The real url will redirect to So be careful.


The phishing email will open a sign-in page that leads to your Microsoft 365 credentials / log in box.

What you are looking for is a file. The real email will lead you to a file, and once you click there, you will be redirected to the actual file.

Look out for these inconsistencies

The fake screens have some noteworthy inconsistencies including:

  • Adobe doesn’t require Outlook Sign-ins
  • Adobe hasn’t been mentioned to this point
  • The grammar is flawed
  • The logo image is broken on the right image
  • The buttons aren’t the same size
  • There are some slight misalignments.

These types of inconsistencies are red flags, whenever you are dealing with potentially suspicious links.

What happens if you have clicked on the link?

If you have logged into this log-in screen, then your account is compromised. This means that it could be accessed at any time and the following actions can happen:

A new version of this email will be sent out to all the accounts you have communicated with in the past.

A mailbox rule will be created to move all incoming emails into a hidden folder, generally within the RSS folder

Sent items are deleted and purged.

What to do if you have clicked on the link

If you have attempted to sign in using a page similar to this from a link that you were unsure about, change your credentials immediately!

If your business has been affected by a shared note attack, our IT support team will investigate the email logfiles to see who has received this email. Then, we will then send out an informative email to all recipients to ignore such emails. All users that have opened the links in the email and entered their access details must have their passwords changed immediately. Any additional issues will be assessed and fixed.

Read our Business IT Security Guide for a full breakdown of all the things you need to know, to keep your business safe.

Think you have been affected by a Shared Folder Attack Phishing Scam?

If you need any help with your Microsoft 365 call our team today on 20 3831 2780 . We can help and advise you on the best solutions.

Tell us about your technical needs and we will recommend the ideal solution for you.

Read more from our blog

Professional Outsourced IT Support London

We pride ourselves on providing excellent customer service and effective IT solutions. Working with clients in London and around the UK, across a range of industries. Our expert IT support services offer a perfect solution for businesses of all sizes.

If you need to outsource your IT support or reviewing your existing IT services arrangements contact our technical HelpDesk support team today.

If you need expert IT help now, Call us today on 20 3831 2780

Leave a Reply

Your email address will not be published. Required fields are marked *

0 Comment Comments