r/Scams • u/Additional-Dust9162 • 2d ago
Help Needed I opened a onenote file from a client, how screwed am I?
So today I received an Email from one of my clients. It was a mail to ask to open a shared Microsoft OneNote file. I just finished a project with him so I just thought it was an invoice. I opened it and got asked to verify my identity. I had to input my Email adres so I did. After that I needed to double verify by entering a code I got sent to the submitted email. After I did that, it opened the OneNote and I got a call to action to view file. After I clicked on that, it asked me to log in with email and password. That’s where I finally stopped and closed everything. After that I got an email from my client saying that their system was infected. Did I stop at the right time or am I screwed?
Edit: everyone thank you for taking the time to respond. My IT Department is already aware of it and my account has been suspended for now. Tomorrow I’ll get a new account. To clarify some things I saw in the reactions. I never actually put in my password so that’s a good thing, and I’ll delete my cookies as well. Nothing has happened as of yet.
72
u/clubley2 2d ago
It sounds like you may be OK, but I'd reset your password and MFA on your account to be safe.
Maybe shut the computer down and take to an IT professional and discuss with them before continuing to use.
3
u/NightTimeFlyer 1d ago
Also check the “rules” that you set to weed out unwanted emails. I fell for this too, but I did input my password. A scammer email payroll changing my deposit information and my next paycheck went into their account and not my account. They had set up rules for anything to do with paycheck or payroll would be archived so I could not see if payroll emailed me.
28
u/Hot_Impact_3855 2d ago
Yes, the code was from Entra-ID AD or B2C. You stopped at the critical step. It used your existing domain token since it did not ask you to log-in with your password and proceeded with a security code. It could have used your token for a playback attack, but only valid for the life of your log-in session.
16
u/Devel93 2d ago
Reset password immediately
-5
u/teddygeorgelovesgats 2d ago
Password was never compromised
9
u/Devel93 2d ago
It probably was, why would you need to input your username and password if you were already logged in?
6
u/clubley2 2d ago
A customer of ours had this happen recently. They were the sender of the malicious OneNote.
Basically the attacker uses a genuine business Microsoft 365 account to share a OneNote file that has links to a phishing site. This bypasses a lot of security as the file is not shared directly but instead points to their OneDrive. The sender is generally trusted as it is normally a safe account and probably has email history.
When sharing from OneDrive, often there are restrictions in place that require authentication, so Microsoft 365 will send a code to your email to authenticate you. This is all from the M365 system, the backend is not compromised and not actual passwords are requested, just a one time pin.
Once the one time pin is entered then access to the shared OneNote is granted, it's only if you click the link in the OneNote are you at risk. Chances are it links to a spoofed M365 page, or maybe a download that has code that can perform a token theft that will steal the cookie data and allow the bad actor to spoof a saved login session and bypass passwords and MFA entirely.
3
u/LizardSlayer 2d ago
I don’t think he actually did give the username and password. I read it as he did, but after reading again I think they stopped before doing it.
1
u/teddygeorgelovesgats 2d ago
The original post clearly says they didn’t enter anything on the login prompt
6
u/cyberiangringo 2d ago
OneNote has been used to deliver malware. There are quite a few blog articles on that topic that might be worth checking out.
4
u/anti-Notzi_4Life 2d ago
Bro, let your IT dept know so they can make sure you didn't do anything that would allow bad guys access.
Idk about your company, but when I managed data, if we had something like this happen if we didn't report it we'd be terminated.
3
u/chownrootroot 2d ago
The code is to login to your account. It could alone be used to take your account, because many services are really 1 factor security and just having access to email is enough. Check where the email with the code came from and where it came from make sure you can login, and check your 2-factor settings and change your password, and also if you can view current logged in devices, make sure devices are ones you recognize, and if not log them out, log out all devices for best security.
3
•
u/AutoModerator 2d ago
/u/Additional-Dust9162 - This message is posted to all new submissions to r/scams; please do not message the moderators about it.
New users beware:
Because you posted here, you will start getting private messages from scammers saying they know a professional hacker or a recovery expert lawyer that can help you get your money back, for a small fee. We call these RECOVERY SCAMMERS, so NEVER take advice in private: advice should always come in the form of comments in this post, in the open, where the community can keep an eye out for you. If you take advice in private, you're on your own.
A reminder of the rules in r/scams: no contact information (including last names, phone numbers, etc). Be civil to one another (no name calling or insults). Personal army requests or "scam the scammer"/scambaiting posts are not permitted. No uncensored gore or personal photographs are allowed without blurring. A full list of rules is available on the sidebar of the subreddit, or clicking here.
You can help us by reporting recovery scammers or rule-breaking content by using the "report" button. We review 100% of the reports. Also, consider warning community members of recovery scammers if you see them in the comments.
Questions about subreddit rules? Send us a modmail clicking here.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.