The NJCCIC continues to observe phishing campaigns to steal credentials associated with Microsoft's OneDrive cloud-based file-sharing service. The phishing emails contain an embedded URL that redirects an unsuspecting user to a fraudulent website that appears to look like the legitimate Microsoft login webpage; however, it contains spelling and grammatical errors. When the user logs in, their credentials may be sent to an external site controlled by the threat actor, saved in a text file for later retrieval by the threat actor, or emailed to an email address controlled by the threat actor. The user is then frequently redirected to the legitimate Microsoft login webpage, which displays that the user's login failed to process and they will need to log in again. Alternatively, a PDF or other document may be opened and displayed to the user in order to avoid arousing suspicions. Threat actors often target file-sharing sites since they are commonly used for business purposes and may provide access to sensitive information. The NJCCIC recommends users remain vigilant and follow basic cybersecurity best practices. We strongly encourage educating users about this and similar threats and reminding them to refrain from clicking on links or opening attachments delivered with unexpected or unsolicited emails, including those from known senders. If the user is uncertain of the email’s legitimacy, contact the sender via an alternate method. If credential compromise is suspected, users are advised to change credentials across all accounts that used the same login information and enable multi-factor authentication where available.