Fake Microsoft OneDrive Storage Full Phishing Scam
Phishing emails styled as Microsoft OneDrive notifications claim the victim's cloud storage is full or a file has been shared, directing them to a fake Microsoft sign-in page to harvest their Microsoft account credentials.
Part of: Fake Cloud Storage Alerts
Last reviewed: 8 June 2026
Microsoft OneDrive is integrated with Windows and Microsoft 365, and many users receive genuine storage and file-sharing notifications from Microsoft. Real OneDrive emails come from addresses ending in @microsoft.com or @sharepointonline.com, and the sign-in page is always at login.microsoftonline.com.
Because OneDrive file-share notifications are a normal part of workplace and personal workflows, they make highly credible lures. Employees who regularly receive 'John has shared a document with you' emails may click without pausing to verify the sender address.
Criminals replicate the visual style of genuine OneDrive notification emails pixel-for-pixel, replacing only the underlying links with credentials-harvesting redirect chains.
How this scam works on the Microsoft brand
The victim receives an email that appears to be a Microsoft OneDrive notification. The message may say their storage is at 99% capacity and they must upgrade, or that a colleague has shared an important file with them. The email design exactly matches Microsoft's branded templates.
Clicking 'Open in OneDrive' or 'Manage Storage' leads to a convincing Microsoft sign-in page hosted on a domain such as microsoftonline-verify.com or onedrive-sharepoint-portal.net. After the victim enters their Microsoft 365 email and password, the page may show a second prompt for an MFA code, which the attacker uses in a real-time relay attack to complete sign-in and immediately access the victim's emails, SharePoint, and OneDrive files.
Corporate victims are especially valuable targets because their Microsoft 365 accounts often contain payroll records, client data, or access to financial systems.
Common red flags
- The sender's email domain is not @microsoft.com, @sharepointonline.com, or @onedrive.com.
- The sign-in page URL is not login.microsoftonline.com or login.microsoft.com.
- The email was unexpected — you did not request a storage upgrade or know anyone who would have shared this file.
- Hovering over links reveals redirect URLs with random strings or non-Microsoft domains.
- The email asks you to sign in urgently within a short window or face data loss.
- After entering credentials, the page asks for your MFA code unusually quickly.
How to protect yourself
- Manage OneDrive storage directly by right-clicking the OneDrive icon in the taskbar and choosing Settings, or at onedrive.live.com — never via an email link.
- Enable Microsoft's passwordless sign-in or use a hardware security key to protect your Microsoft account.
- For Microsoft 365 business accounts, ask your IT team to enable Conditional Access policies and phishing-resistant MFA.
- If you entered credentials, immediately sign in to account.microsoft.com from a known-good device and change your password, then review recent sign-in activity.
- Use Microsoft Defender for Office 365 or a third-party email gateway that scans links at click time.
How to report it
- Report the phishing email using the 'Report Message' button in Outlook (mark as Phishing) or forward to [email protected].
- Report the fraudulent website to Microsoft at microsoft.com/en-us/wdsi/support/report-unsafe-site.
- US users: report to the FTC at ReportFraud.ftc.gov.
- Business victims should also notify their IT security team and file a report with the NCSC (UK) or CISA (US).
Frequently asked questions
How do I check my real OneDrive storage?
Click the OneDrive cloud icon in the Windows system tray, go to Settings > Account, and your storage quota is displayed there. You can also visit onedrive.live.com and check the storage indicator in the lower-left corner.
Are all OneDrive file-share notification emails dangerous?
No — Microsoft does send legitimate sharing notifications. Always verify by checking the sender address is from @microsoft.com or @sharepointonline.com and by navigating to OneDrive directly rather than clicking the email link.
My Microsoft 365 account was compromised — what are the immediate steps?
Change your password immediately at account.microsoft.com. Revoke all active sessions under Security > Sign-in activity. Notify your IT administrator. If business email was accessed, preserve logs and consider engaging an incident response team.