University OneDrive Share Credential Harvesting Campaign
3 July 2026
By Hiwot Mendahun and the Mimecast Threat Research Team
- Low-volume credential harvesting campaign observed 20–24 June 2026 abusing Microsoft OneDrive share notifications from a single consumer Outlook account
- Institution-branded Word documents on OneDrive link to zmact[.]us → loq.broadpath[.]us (Cloudflare-protected) → fake Microsoft 365 OAuth sign-in
- Recipient lists show departmental clustering with customized share-notification descriptors aligned to target roles
- Campaign objective: Microsoft 365 / Entra ID credential and session-token theft for mailbox takeover
Campaign Overview
The Mimecast Threat Research team has identified a credential harvesting operation targeting staff and faculty at universities and health-sciences colleges in Australia and the United States. The campaign uses a trusted-service delivery model: messages coming from a OneDrive file-share notification with a display name of "Jesse Lee", while the true SMTP sender is a single individual Outlook account (outlook_024EE0F96AD209F4@outlook.com).
Each wave uses an institution-specific lure document hosted on the same attacker-controlled OneDrive personal tenant (024ee0f96ad209f4). Documents carry the target institution's branding and instruct recipients to open a link presented as a secured SharePoint document. Selecting the link routes victims through attacker redirect infrastructure before presenting a high-fidelity Microsoft sign-in page on a non-Microsoft domain.
Volume remains relatively low consistent with a targeted or semi-targeted operation rather than mass spam. However, the campaign spans multiple institutions, reuses a single sender and OneDrive account, and shows evidence of list metadata injection into notification text.
Campaign Flow
Stage 1: OneDrive Share Notification Email
Recipients receive a message matching Microsoft's standard OneDrive sharing template. The subject line follows the pattern ‘Jesse Lee shared "
The notification body includes a secondary descriptor line (e.g. "MSPAS, PA-C, Program Director, Sent you a file") that appears customized to the recipient's cohort.
[Figure 1: OneDrive share notification]
Stage 2: Institution-Branded OneDrive Document
Following the share link opens a Word document on onedrive.live.com under the attacker's personal account. The document reproduces the target institution's logo and states that the organisation has shared a secured document via Microsoft SharePoint. A prominent "OPEN DOCUMENT" hyperlink embeds the credential-harvesting redirect chain.
Stage 3: Redirect via zmact[.]us
The embedded link points to zmact[.]us with query parameters including tenantKey=WG0SL5 and a forged returnUrl referencing /connect/authorize/callback with client_id=Portal. The redirector returns an HTTP 302 to the final phishing host.
Stage 4: Cloudflare Challenge on loq[.]broadpath[.]us
Victims are forwarded to loq.broadpath[.]us, which presents a Cloudflare managed challenge ("Performing security verification"). This layer filters automated scanners and sandboxes before the credential page is served.
Stage 5: Fake Microsoft 365 Sign-In
After passing the challenge, victims reach a Microsoft OAuth-style authorisation page hosted on loq.broadpath[.]us under the path /common/oauth2/v2.0/authorize. The page mimics Entra ID sign-in with parameters consistent with AiTM-style credential and token capture kits.
[Figure 4: Credential harvesting page on non-Microsoft domain]
Volume and Timing
Mimecast observed activity across a five-day window (20–24 June 2026), with delivery concentrated on three days:
|
Date |
Events |
Unique recipients |
Region / sector |
|
20 Jun 2026 |
238 |
226 |
Australia - large public university (+ international education partners) |
|
23 Jun 2026 |
207 |
198 |
United States - private university |
|
24 Jun 2026 |
108 |
102 |
United States - health sciences college (+ Australian partner institution) |
|
Total |
553 |
526 |
— |
All observed waves originate from the same sender address. Each institutionis targeted by a distinct lure document on the shared OneDrive account, delivered in short bursts (minutes per wave) rather than sustained high-volume spam.
Customised notification metadata
While SMTP originates from a single Outlook account, visible share-notification text varies. Secondary descriptor lines (e.g. programme director titles) appear tailored to the recipient cohort consistent with scraped directory metadata injected into the OneDrive notification template.
Technical Analysis
OneDrive account reuse
All lure documents share the same OneDrive personal identifier 024ee0f96ad209f4, matching the hex string embedded in the sender address.
Phishing kit indicators
- Redirector parameter tenantKey=WG0SL5 on zmact[.]us
- OAuth-style returnUrl forged to resemble Entra ID portal callback (client_id=Portal, response_type=id_token, scope=openid)
- Final host serves /common/oauth2/v2.0/authorize on attacker infrastructure
- Cloudflare managed challenge on redirector
Mimecast Protection
Mimecast has identified attributes associated with this campaign across trusted-service abuse, redirector infrastructure, and OAuth-path phishing on non-Microsoft domains. The Threat Research team continues to monitor for new lure documents, institutions, and infrastructure rotation on the zmact[.]us / broadpath[.]us clusters.
Targets:
|
Region |
Sector |
Unique recipients |
Targeting character |
|
Australia |
Large public university |
~220 |
Admin, recruitment, HDR, nursing governance, shared mailboxes |
|
Australia |
International education partners |
~6 |
Recruitment and campus operations |
|
United States |
Health sciences college |
~101 |
DPT faculty, student affairs, allied health programmes |
|
United States |
Private university |
~198 |
Athletics, sport sciences, sciences, business — directory export |
Indicators of Compromise (IOCs)
|
Indicator |
Description |
|
outlook_024EE0F96AD209F4@outlook[.]com |
Campaign SMTP sender (display name: Jesse Lee) |
|
024ee0f96ad209f4 |
Attacker OneDrive personal account identifier |
|
zmact[.]us |
Primary redirector domain |
|
loq[.]broadpath[.]us |
Credential harvesting host (Cloudflare-protected) |
|
https://1drv.ms/w/c/024ee0f96ad209f4/[REDACTED_FILE_ID] |
OneDrive short-link lure (institution-branded documents) |
|
https://onedrive.live.com/:w:/g/personal/024ee0f96ad209f4/[REDACTED_FILE_ID] |
OneDrive long-form lure URL |
|
https://zmact[.]us/[REDACTED]?tenantKey=WG0SL5&returnUrl=[REDACTED] |
Redirect URL with forged OAuth callback parameters |
|
https://loq[.]broadpath[.]us/[REDACTED] |
Post-redirect phishing path |
|
https://loq[.]broadpath[.]us/common/oauth2/v2.0/authorize?[REDACTED] |
Fake Microsoft OAuth authorisation endpoint |
|
Jesse Lee shared "[Institution Name]" with you |
Email subject line pattern (institution name varies per wave) |
|
[Institution Name].docx |
Lure document filename pattern (branded per target organisation) |
|
Your organization has shared a secured document with you through Microsoft SharePoint |
In-document lure text |
|
WG0SL5 |
Phishing kit tenantKey parameter on zmact[.]us |
Recommendations
User Awareness Training
- Educate employees to treat unsolicited OneDrive share notifications as untrusted until the actual sender address is verified
- Emphasise that legitimate university document shares originate from organisational domains, not consumer @outlook.com accounts
- Instruct users to inspect the browser address bar after clicking document links; Microsoft sign-in must be on login.microsoftonline.com
- Alert higher-education staff in recruitment, HDR, nursing administration, athletics, and health sciences as priority cohorts
Proactive Threat Hunting
- Search mail logs for messages from outlook_024EE0F96AD209F4@outlook[.]com or subjects matching Jesse Lee shared
- Hunt web proxy / DNS logs for zmact[.]us, broadpath[.]us, and OAuth paths on non-Microsoft hosts
- Review Entra ID sign-in logs for anomalous authentications involving loq[.]broadpath[.]us or failed GetCredentialType probes from non-campus IPs
Conclusion
This campaign illustrates how commodity credential-harvesting operators combine trusted cloud file-sharing delivery, institution-branded lures, and programme-specific target lists to compromise university mailboxes at low volume. Higher-education security teams should treat consumer-cloud share notifications as a high-risk vector and prioritize detection at both the email and post-click redirect stages.
Keep your edge in threat intelligence
Join thousands of security professionals who rely on our curated alerts, expert analysis, and campaign IOCs to defend against the latest cyber threats.
Sign up successful
Thank you for signing up to receive updates for our threat intelligence notifications.
We will be in touch!