Cloud Account Credential Harvesting Through Spoofed Document Sharing Portal

Between 10 April 2026 and 13 April 2026, employees at a consulting firm received phishing messages linking to https://onedrive-secure-share.com/review, a spoofed document-sharing portal that proxied authentication to the legitimate provider and captured submitted usernames, passwords, and session cookies; confirmed compromises were used to send internal phishing and create inbox rules redirecting messages containing keywords such as “payment,” “invoice,” and “wire.” Observed artifacts include the phishing domain, URL path, redirected mailbox target, targeted keywords, and a reported user agent; the activity is consistent with business email compromise involving credential harvesting and session hijacking.