Beware – fake Office 365 / OneDrive file deletion alerts

Office for Mere Mortals helps people around the world get more from Word, Excel, PowerPoint and Outlook. Delivered once a week. free.


The latest hacker trick is sending fake ‘file deletion’ email, taking advantage of a useful Microsoft service for all Office 365 and OneDrive customers.

If many files are deleted from a OneDrive account, Microsoft sends an email warning to the customer.  It’s possible that the deletion was accidental or caused by ransomware. The warning is a good idea, giving the user a chance to recover the deleted files from the OneDrive Recycle bin.  It’s also a protection against ransomware.

Here’s a real OneDrive deletion warning.

We often see messages like this after clearing out older Camera Roll images or removing older files from OneDrive.  Microsoft sends the emails as part of their ransomware protection but they are also useful for accidental file or folder deletion.

The phishing messages might look like that or use other wording such as ‘Alert’  ‘High Severity’ etc and a prominent link to ‘View Alerts’ or ‘View deleted files’.

Fake login pages

The links are bogus.   Click on a link in the phishing email and you’ll be taken to this sincere looking but very dangerous web page.

Source:  TwinState.com

That’s a fake Microsoft page which grabs your login name and password so the criminals can login to your account.

In theory, you should check the browser address bar to make sure it’s the right domain name. Hackers setup tricky domain names with Microsoft related words to fool the unwary.  Amazingly, Microsoft helps them!

Azure domain trick

Hackers use Microsoft’s Azure system to host their fake login pages and grab password details.  They do that to make use of Microsoft’s own domains to trick customers.

Look closely at the address bar for the fake login page above.  It’s from the ‘windows.net’ domain which you might think means it’s a legitimate Microsoft domain name and login.

It’s a Microsoft owned domain name but NOT a Microsoft login page.

Azure web hosting comes with some default domains like:

  • web.core.windows.net
  • azurewebsites.net

The hackers leave the default domains, hoping that those names will fool people into thinking they are legitimate Microsoft sites. Normally, you’d not see these domain names because the Azure customer would use their own domain names instead.

Yes, you’d think Microsoft would take more action to stop this misuse of their services.  We hear much about Microsoft’s commitment to security, but they allow these gaping holes to exist and continue.  It’s hard to understand why ‘Windows.net’ was ever allowed as a default domain.

Phishing is a sad fact of modern life.  The companies that are being faked could do more to help their customers but can’t stop criminals targeting their customers.

What to do?

Aside from being wary?

If you get a ‘warning’ message from Microsoft, Google, Facebook or any company. Don’t take it at face value.

Fake messages are designed to trick people into quick action with a false urgency.

  • Ignore any links in the message
  • Go to your browser and login to the account directly  go to office.com google.com etc.
  • Check for any problem or warning notice. If the email was real, it should be supported by messages online.

Want More?

Office Watch has the latest news and tips about Microsoft Office. Independent since 1996. Delivered once a week.