If you've been online at all this morning, you've probably seen "FBI alert Outlook OneDrive" climbing the trending lists. I first spotted it while checking the news with my coffee, and honestly, I almost scrolled past. There's always some new cyber threat making the rounds. But then I read the actual advisory, and this one stopped me cold.
The FBI and CISA dropped a joint alert earlier today—officially tagged as Alert Number I-052926-PSA—and the numbers are sobering. In the past 72 hours alone, more than 120,000 Microsoft 365 accounts were taken over in the United States. We're not talking about some exotic government hack either. This is a direct assault on Outlook email and OneDrive cloud storage, two services millions of Americans rely on every single day for work, school, and managing their personal lives.
So why is this suddenly everywhere? Because the attack is clever, it's spreading fast, and it's catching people who thought they were doing everything right.
How the Attack Actually Works
The attackers are using what's called an Adversary-in-the-Middle phishing kit, or AiTM for short. Without drowning you in jargon, here's the simple version: they send you an email that looks exactly like a legitimate Microsoft notification. I mean pixel-perfect. It might say someone shared a secure file with you via OneDrive, or that you missed a Teams voicemail. You click the link, land on a page that looks precisely like the Microsoft login screen, and type in your credentials.
Here's where it gets sneaky. When you approve the multi-factor authentication prompt on your phone, the fake site captures the session token that Microsoft issues to your browser. That token is basically a digital badge that says you're already logged in. The attackers grab it, and from that moment on, they can log in as you without ever needing your password. If you're like most people and you approve MFA pings almost on autopilot, you might not realize anything happened until it's too late.
Once they're inside your account, it's open season. They can read every email in your inbox, rifle through your OneDrive folders, set up hidden forwarding rules that copy your future messages to an external address, and even encrypt your files and demand a ransom to unlock them. The FBI alert specifically mentions three attack patterns going wild right now: the fake OneDrive sharing email, the missed voicemail or fax scam that tricks you into granting OAuth app permissions, and compromised accounts sending malicious macro-loaded documents to the victim's own contacts.
Who's Being Targeted?
The advisory notes that healthcare, legal, tech, and creative professionals are getting hit disproportionately, but this isn't some narrow corporate problem. The campaign is also sweeping through regular people who use OneDrive to store tax returns, family photos, estate documents, and years of personal records. Think about everything sitting in your own OneDrive right now. That's what's at stake. I've heard from several people around the country this week—not techies, just normal folks—who clicked a fake shared file link and watched their folders start encrypting within hours. The attackers demanded payment in Bitcoin, and because OneDrive syncs so aggressively across devices, the corrupted files spread to their local machines, too.
The FBI also warns that attackers are rotating domains and IP addresses every few hours, making it hard for email filters to keep up. That's a big part of why this blew up into a nationwide alert overnight.
Before Anything Else, Check Your Account
If there's even a small chance you clicked something questionable recently, here are three things the FBI wants you to do right now.
First, go to account.microsoft.com/security and review your sign-in activity. Look for any login from a location or device you don't recognize. While you're there, click into "Apps and services" and remove anything you don't explicitly use. Attackers often trick people into granting consent to apps with names like "Outlook Web Access" or "OneDrive Backup Utility." If you don't remember adding it, revoke it immediately.
Second, open OneDrive in your browser, click "Shared" on the left sidebar, and see if any files or folders are being shared with email addresses you don't know. This is a common way attackers quietly pull data out of your account without setting off obvious alarms.
Third, dig into your Outlook settings and check your inbox rules. Look for any forwarding rules that send copies of your email to Gmail, Protonmail, or any address that isn't yours. These rules can stay hidden for weeks, intercepting password reset links and other sensitive messages.
Locking Things Down for Good
Once you've checked for damage, take these five steps to harden your account. They're straightforward, and they won't take more than ten minutes.
- Revoke suspicious OAuth apps. If you see anything in your Microsoft account's app list that you don't recognize, delete it. No hesitation.
- Re-authenticate everywhere. Sign out of Outlook and OneDrive on every device—your phone, laptop, tablet, everything. Then sign back in fresh. This invalidates any session tokens that might have been stolen.
- Upgrade your MFA. Simple push notifications that just ask you to "Approve" are being heavily exploited. Switch to the Microsoft Authenticator app with number matching, or even better, use a FIDO2 hardware security key. It's a small change that completely blocks this kind of token theft.
- Enable OneDrive ransomware protection. OneDrive has a built-in feature that can detect mass file changes and let you roll everything back to a clean state. Make sure it's turned on in your OneDrive settings.
- Hover before you click. Anytime you get a shared file email, hover your cursor over the sender's name or the link. If the actual domain looks off—think "microsoftonline.co" instead of "microsoft.com"—delete the message. Report the phishing attempt to the FBI's Internet Crime Complaint Center at ic3.gov.
What Microsoft and the FBI Are Doing
Microsoft has already released an emergency update to Microsoft 365 Defender that flags the known phishing infrastructure driving this campaign. They're also shortening the lifespan of session tokens associated with suspicious activity. But the FBI has been clear: the threat isn't contained. The attackers are moving fast, switching domains constantly, and refining their social engineering. No software update alone is going to make you bulletproof.
The Bottom Line
The "FBI Alert Outlook OneDrive" trend isn't just another flash in the pan. It's a real, ongoing attack that's already compromised a staggering number of American accounts. Whether you're a student, a small business owner, a retiree, or anyone in between, your inbox and cloud files are exactly what these attackers are after. Give your account ten minutes of attention today. Hover over links. Verify strange sharing emails through a different channel before clicking. And keep an offline backup of anything you truly can't afford to lose. In 2026, the difference between a close call and a full-blown compromise can come down to a single rushed click.
Stay sharp out there.