Native Phishing: Hackers Exploit Legitimate Microsoft 365 Apps

Hackers don’t always need an exploit to hack you. Sometimes, all it takes is trust.

The attack landscape has evolved—just like generations have. Generation Z, known for always seeking the fastest and most convenient way, is already playing in the big leagues of cybersecurity… on both sides. Some work to protect data and systems; others, to steal them.

With the arrival of artificial intelligence and no-code platforms, creating convincing phishing campaigns is easier than ever. Today, attackers blend built-in trusted tools with free, legitimate services to bypass both technical defenses and their victims’ internal alarms.

Sure, the old trick of sending a malicious email attachment is still around, but it’s no longer their only card to play. Now, criminals also share infected links or files within the organization itself, using integrated collaboration features in platforms like Microsoft 365… and that’s where what we call native phishing comes into play.

Native phishing delivers dangerous content through a channel so familiar it appears completely legitimate. For example: a file sent via OneDrive or SharePoint. It’s not scanned like an email attachment, it comes through a trusted system, and to make matters worse, it’s an uncommon method—making it even harder to detect.

The worrying part is that it all starts with a single compromised internal user. From there, the entire company’s security is at risk.

In this article, we’ll review real cases where an attacker gained control of a Microsoft 365 account and, combining AI with no-code tools, launched native phishing attacks that went almost unnoticed.

OneNOT: How Attackers Are Taking Advantage of OneNote

Microsoft OneNote is often the forgotten sheep of the Microsoft 365 family. It’s a great tool for taking notes, organizing ideas, and collaborating, but precisely because it flies under the radar of many security teams, it has become a new favorite toy for cybercriminals.

Unlike Word or Excel, OneNote doesn’t allow VBA macros, which might make it seem safer. However, there has been a notable surge in its use for phishing attacks, and there are several strong reasons for this:

1. It’s not limited by Protected View, so content opens directly without that annoying “protected view” warning.

2. Its format is highly flexible, allowing attackers to create layouts that look legitimate but hide traps.

3. It can embed malicious files or links, camouflaged among notes, images, or fake buttons.

And to top it off, OneNote comes pre-installed and trusted in most companies. That means attackers can use it as a legitimate delivery channel, replacing old macros with much more effective social engineering techniques to bypass traditional defenses.

In short: what used to be just a simple note-taking app is now a disguised backdoor that slips under the radar of many security teams.

OneNote, OneDrive… and Far Too Many Victims

In some of the most recent cases, attackers didn’t need sophisticated technical tricks to wreak havoc. The pattern is simple but effective.

First, the cybercriminal obtains a Microsoft 365 employee’s credentials through a phishing attack. With that door open, they enter the account and create a OneNote file inside the compromised user’s Personal Documents folder on OneDrive.

The trick? Inside that file, they embed a lure URL that leads to the next stage of the attack. This way, what appears to be an internal, trusted file becomes the first step in a phishing chain capable of putting the entire organization at risk.

In most phishing attempts, attackers rely on external email addresses to mimic classic Microsoft notifications: “Someone has shared a file with you.”
This trick is usually relatively easy to spot for trained users and, in many cases, security filters block it by analyzing headers and verifying the sender.

But in this case, the attacker chose a simpler—and far more effective—route. Instead of forging a notification, they directly used OneDrive’s built-in file-sharing feature, leveraging an already compromised user account.

The result was devastating: hundreds of people within the organization received a legitimate Microsoft email, apparently sent by a coworker. The message included a “safe” link to a file hosted inside the corporate OneDrive itself, making it extremely convincing and virtually invisible to security systems.

This way, the attacker managed to spread the phishing laterally, using a service everyone trusted as a Trojan horse.

Phishing site that mimics the original portal

Adobe as Bait: Phishing Disguised as a Shared Document

In recent months, a growing trend has been making life easier for cybercriminals: using free trials of no-code platforms to set up customized phishing pages in a matter of minutes.

A clear example was the fake login page created with Flazio, but it’s not the only one. We’ve also seen attacks using tools like ClickFunnels and JotForm which, while legitimate and intended for businesses, have become a perfect resource for scammers.

In several cases, attackers hosted pages that mimicked Adobe notifications with messages like “Click to view the document.” Upon clicking, the victim was redirected to a fake login screen specifically designed to steal credentials.

The appeal for attackers is obvious: these platforms offer them an easy, fast, and free way to create and host phishing content, without advanced technical skills and with a professional appearance that’s hard to suspect.

Phishing page created in JotForm

Read more: Scam Designs: How Hackers Use UX/UI to Trick You

What Can You Do Today to Stop Phishing?

If you want to minimize the risk of identity spoofing and attacks that use OneNote as a channel, start applying these best practices right now:

1. Enable MFA and conditional access for all users. This way, even if a password is stolen, attackers won’t be able to log in without the second verification.

2. Run regular phishing and vishing simulations (yes, include top management) to train the whole team and test reactions to real-world scenarios.

3. Make it easy to report suspicious activity by ensuring internal incident reporting channels are clear, fast, and accessible to everyone.

4. Review and adjust Microsoft 365 sharing settings to prevent internal files from being exposed more than necessary.

5. Set up alerts for unusual sharing behavior and keep an eye on traffic to known no-code site builders that could be used for phishing.

Attackers’ tactics are constantly evolving, and our defenses must evolve just as quickly. Understanding how they exploit trust and leverage modern tools is key to staying ahead. In the end, it’s not just about securing systems—it’s about protecting the people who use them every day.

How Can TecnetProtect Help Protect You from Phishing and Other Threats?

When a phishing campaign hits your organization, speed of response is everything—and that’s where TecnetProtect makes the difference.

TecnetProtect not only offers secure cloud backups, but also integrates advanced cyber protection capable of monitoring user activity, data flows, and access in real time. This instant visibility allows you to detect suspicious behavior before the damage becomes irreversible.

In addition, its cyber forensic investigation capabilities make it easier to trace how an attack started, which users or systems were compromised, and what data might be at risk. In short, you can assess the impact quickly and accurately, enabling you to respond and contain the threat without wasting time.

With TecnetProtect, you don’t just recover information after an incident—you have an active defense that helps you prevent, detect, and respond to increasingly sophisticated phishing campaigns.