When Sharing Goes Wrong: Microsoft’s OneDrive File Picker Flaw

Imagine this.

You’re working from home, sipping coffee, and attending your third Teams meeting of the day. You get an email that looks like it came from a colleague. “Hey, can you take a quick look at the new marketing strategy? It’s in OneDrive. Just click the link.”

You click. A familiar Microsoft sign-in screen pops up. You enter your credentials. The screen blinks, and then nothing.

Except now a cybercriminal has your login.

So, what happened?

That email used Microsoft’s OneDrive File Picker to launch a convincing phishing attack. The OneDrive File Picker is a legitimate tool by Microsoft. It allows users to select and share files from OneDrive or SharePoint via web interfaces. It’s part of Microsoft’s Graph API and widely used in Microsoft 365, Teams, and third-party integrations.

Attackers are abusing this legitimate feature to make phishing links look trustworthy.

Who Does This Affect?

Anyone using Microsoft 365 services especially

• Remote workers who rely on Teams, Outlook, and OneDrive.

• IT administrators manage document sharing policies.

• Organizations with bring-your-own-device (BYOD) policies.

• HR, finance, and legal departments, which handle sensitive files.

In short, if your workplace uses Microsoft tools, you're a potential target.

Why Is This So Risky?

1. The link looks legitimate. Attackers use the real OneDrive File Picker interface to present their phishing page.

2. SSO means one password rules them all. If a user enters credentials here, attackers gain access not just to OneDrive, but also to Teams, Outlook, and other connected services.

3. Multi-factor authentication (MFA) fatigue. Some attacks even bypass MFA using session replay or abuse of token theft.

4. Limited detection. Since this uses legitimate Microsoft infrastructure, many security tools don’t flag it as malicious.

How to Prevent and Stay Ahead

For Individuals:

• Never trust links blindly, even if they look like Microsoft domains.

• Verify with the sender using another method (Slack, phone, Teams chat).

• Use passwordless authentication (e.g., the Microsoft Authenticator app or FIDO2 keys).

• Don’t enter credentials into links sent via email. Access shared files by navigating directly to OneDrive or Teams.

For Organizations:

• Restrict file picker access using Conditional Access and App Governance in Microsoft 365.

• Enable Defender for Office 365 with Safe Links and Safe Attachments.

• Train employees regularly on identifying phishing tactics—especially ones using trusted platforms.

• Use Microsoft Purview to monitor and audit OneDrive sharing activity.

Final Thoughts

Microsoft’s OneDrive File Picker is a powerful productivity tool, but like all good tech—it can be misused. The key is not to panic but to stay informed, practice digital hygiene, and train your teams to verify first and click later.

References:

• Microsoft OneDrive File Picker documentation: https://learn.microsoft.com/en-us/onedrive/developer/controls/file-pickers/

• Avanan (Check Point): “The Rise of Microsoft-Based Phishing Attacks” https://www.avanan.com/blog

• Microsoft Defender for Office 365 Threat Protection: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/

• Dark Reading: “Phishing Attacks Using Trusted Services Are on the Rise” https://www.darkreading.com/threat-intelligence