• Link to Rss this site
  • Link to LinkedIn
  • Link to Youtube
  • Link to X
  • Link to Instagram
  • English English English en
  • Deutsch Deutsch German de
Sales: +49 5251 304-800 | Support: +49 5251 304-636
NoSpamProxy
  • PRODUCT
    • NoSpamProxy Cloud
    • NoSpamProxy Protection
    • NoSpamProxy Encryption
    • NoSpamProxy Large Files
    • NoSpamProxy Disclaimer
  • SOLUTIONS
    • M365 Mail Security
    • Managed Certificates
    • 32Guards
    • AS4
  • RESOURCES
    • Documentation
    • Forum
    • Webcast Training
    • Training Courses
    • Support
    • Software Download
  • PARTNERS
    • Finding Resellers
    • Becoming Reseller
    • Partner Portal
    • NFR Licenses
  • COMPANY
    • Contact
    • Testimonials
    • Team
    • Career
    • Events
    • Awards
  • PRICES
  • BLOG
    • Blog
    • Newsletter Subscription
  • FREE TRIAL VERSION
    • Price Request
    • Free Trial Version
  • English
    • Deutsch
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • OneDrive Personal Links in E-Mail Reply Chain Attacks

OneDrive Personal Links in Email Reply Chain Attacks

Micha Pekrul
Author: Micha PekrulSaaS Platform Managerhttps://www.linkedin.com/in/micha-pekrul/–Connect on LinkedIn

Since April 2019, there is a new type of attacks that use emails as an attack vector: the so-called Email Reply Chain Attacks. The first step in these attacks is to spy on emails. The responses to these emails written by the criminals contain a malicious link or attachment. While this method was initially used on a larger scale by Emotet, other threats such as QakBot (aka Qbot or also Quackbot) have also been added over time.

08.03.2022|last modified:04.04.2024
E-Mail Reply Chain Attacks - CERT-Bund Warnung in 2019

The Computer Emergency Response Team of the German Federal Administration (CERT-Federal for short) warned about the new attack vector in Emotet in April 2019.

Source: Twitter

While it was initially still possible to say that one of the communication partners must have been infected and the email must have leaked out via it, this is no longer necessarily the case today. In 2021, there were several zero-day security vulnerabilities for on-premises hosted Exchange servers, which theoretically could have leaked the entire email communication if the Exchange servers were not patched or not patched in time.

However, one should assume that email reply chain attacks are highly effective in their social engineering effect, since the fake reply to a real communication takes place and one usually knows the alleged communication partner very well. The fact that the fake email was not sent by the communication partner at all, but by unknown email servers under the control of the spammers, is usually not even recognizable for the layman. Often, laypersons cannot even imagine that it is at all possible for someone other than the communication partner to be able to access the previous email history.

QakBot with OneDrive Personal Links

Another popular attack vector is the use of legitimate cloud services to spread malware. In the current QakBot waves, one approach is to resort to the email reply chain attacks described above, and the other is to include a link to Microsoft’s OneDrive personal cloud service in the fake reply, as exemplified in the following examples.

  • OneDrive Personal Links in E-Mail Reply Chain Attacks - Spam Beispiel 3
  • OneDrive Personal Links in E-Mail Reply Chain Attacks - Spam Beispiel 2
  • OneDrive Personal Links in E-Mail Reply Chain Attacks - Spam Beispiel 1
Previous Previous Previous Next Next Next
123

Fake replies from QakBot with links to “OneDrive Personal”. Note the “file password” at the end.

E-Mail Reply Chain Attacks - Binary Excel im passwortgeschütztem Zip-Archiv

The link hides a password-protected zip archive.

A closer look reveals that the zip archive hides a binary Excel document with macro functionality, which successfully evades malware scanners due to password protection. The password required to decrypt the zip archive is included at the end of the fake response. This is probably also the reason why these links still work days after the spam wave and have not been blocked by Microsoft.

OneDrive? OneDrive Business? OneDrive Personal!

Regarding the link structure of OneDrive links, it quickly becomes apparent that there is a clear difference between “OneDrive Business” as well as “OneDrive Personal”. When I create a link to share, you immediately notice that “OneDrive Business” follows the pattern “-my.sharepoint.com“ or „.sharepoint.com”. This can be distinguished very well as a result. So let’s share a file via “OneDrive Personal” to see how these links look like.

OneDrive Personal Links in E-Mail Reply Chain Attacks - Link im Message Tracking

A file shared via “OneDrive Personal”

The first thing you notice is that the link, unlike the QakBot examples above does not point to “onedrive.live.com” at all, but to Microsoft’s URL shortener “1drv.ms“. Next, let’s see what the link behind it looks like.

OneDrive Personal Links in E-Mail Reply Chain Attacks - Microsoft OneDrive URL-Shortener

Microsofts URL Shortener „1drv.ms“

So at first glance it looks like the QakBot links from above, right? At second glance you can see that the path doesn’t start with “onedrive.live.com/download” like QakBot, but with “onedrive.live.com/redir“.

OneDrive Personal Links in E-Mail Reply Chain Attacks - Stack Exchange

A “recipe” on StackExchange reveals how to create this type of “onedrive.live.com/download” links

It seems that these “OneDrive Personal” links should not be on the way by default, but that the path “onedrive.live.com/embed” has to be changed to “onedrive.live.com/download” first.

Protection against email reply chain attacks: Word match filter for blocking unwanted links.

With the word match filter you can assign SCL points to unwanted links in NoSpamProxy.

OneDrive Personal Links in Email Reply Chain Attacks - Word Matching Filter 1 (English)

Under Configuration > Presettings, add a new word group to the word matches, restrict the range to the “email body” and assign 4 SCL or more.

OneDrive Personal Links in Email Reply Chain Attacks - Word Matching Filter 2 (English)

As type use “Placeholder” and enter “https://onedrive.live.com/download*” (with a “*” at the end).

OneDrive Personal Links in Email Reply Chain Attacks - Word Matching Filter 3 (English)

In all inbound rules it is necessary to include – if not already present – the “Word matches” filter and add the newly created “Blocked links” word group.

Since “word matches” is a filter, in the event that such a link should be in use at a certain partner after all and an exception should now be defined, the Level of Trust system comes in handy in these cases, because trusted email can overrule a filter accordingly.

With this knowledge you have the possibility to handle such links to “OneDrive Personal” in NoSpamProxy more strictly. Ideally, one has the function “URL Safeguard” with the option “URL Tracking” already in use. Then you can conveniently filter for all emails with the domain “onedrive.live.com” in the message tracking and make the decision for the company whether you want to filter here more strictly in the future in terms of IT security.

You want to protect yourself from email reply chain attacks and don’t have NoSpamProxy in use yet?

With NoSpamProxy you can reliably protect your company against cyber attacks. Request your free trial version now!

Get your free NoSpamProxy trial now!
  • share 
  • share 
  • share 
  • email 

SEARCH

PRODUCT

  • All Topics
  • NoSpamProxy Cloud
  • NoSpamProxy Protection
  • NoSpamProxy Encryption
  • NospamProxy Large Files

You need support?

You can find more information about NoSpamProxy in our documentation and forum.

CATEGORY

  • All Topics
  • News
  • Product
  • Tech & Support
  • Events

NoSpamProxy Newsletter

Subscribe to Newsletter
RSS Feed Logo RSS Feed Logo Subscribeto RSS Feed

NoSpamProxy

  • NoSpamProxy Cloud
  • NoSpamProxy Encryption
  • NoSpamProxy Large Files
  • NoSpamProxy Disclaimer
  • Price request
  • Team
  • Career
  • General terms and conditions
  • Data Protection Information for Business Partners and Applicants
  • Cybersecurity (PSIRT)

Partners

  • Becoming a reseller
  • Partners
  • Order Certificates
  • Newsletter

Categories

  • All topics
  • News
  • Support
  • Updates
  • Order certificates

Latest News

  • Warum Sie ARC in NoSpamProxy jetzt aktivieren sollten Preview
    Why you should activate ARC in NoSpamProxy now11.07.2025 - 12:08
  • SVG files in email attachments: Danger by malicious code preview
    Attached SVG file: Danger from malicious code04.07.2025 - 10:00
  • NoSpamProxy Update
    NoSpamProxy Cloud June update: Rollout started30.06.2025 - 06:00
IMPRINT • EULA • Privacy Policy • • © 2025 Net at Work GmbH
  • Link to Rss this site
  • Link to LinkedIn
  • Link to Youtube
  • Link to X
  • Link to Instagram
Link to: HTML attachments: The misjudged danger Link to: HTML attachments: The misjudged danger HTML attachments: The misjudged dangerHTML-Anhaenge - Die-unterschaetzte-Gefahr-Preview Link to: Trustworthy email software made in Germany – with the seal of trust Link to: Trustworthy email software made in Germany – with the seal of trust IT Security made in GermanyTrustworthy email software made in Germany – with the seal of trust
Scroll to top Scroll to top Scroll to top