What made this phishing attack particularly sophisticated and difficult to detect?

Attackers compromised the real client's email first, monitored correspondence for weeks, then used a lookalike domain with Unicode characters to impersonate them.

How did the attackers make the fake email domain appear identical to the legitimate DataFlow Analytics domain?

They used a Unicode homograph attack, replacing normal characters with visually identical Cyrillic characters.

What information did the attackers gather during their reconnaissance phase that made the phishing email so convincing?

They monitored Bob Chen's compromised email for weeks, learning about contract negotiations, timelines, board approval delays, and exactly what Alice was expecting.

The OneNote Supply Chain Phishing Attack

The CEO you've been negotiating with for months finally sends the signed contracts. A OneNote link, just like he always uses. But attackers have been reading his emails for weeks – and this message didn't come from him. See how business relationships become attack vectors when threat actors hijack trusted communications.

What You'll Learn

Understand supply chain phishing attacks
Identify Unicode homograph attacks
Apply verification best practices for file-sharing links
Recognize time-based manipulation tactics

Training Steps

Introduction: Waiting for Critical Contract Documents

You are Alice Martinez, a Senior Account Manager at TechCorp Solutions. For two months, you've been working with Bob Chen, CEO of DataFlow Analytics, on a $500,000 annual contract renewal. Bob promised to send signed contract documents this week, but they haven't arrived yet. Your legal team and manager have been asking for these documents daily - the deal can't close without Bob's signature. It's Friday afternoon, 4:45 PM. You check your email one last time before the weekend, hoping Bob finally sent the contracts.
The Long-Awaited Email Arrives

A new message from Bob Chen appears at the top of your inbox! Subject: 'Signed Contract Documents - Final Version.' After weeks of waiting, Bob has finally sent the documents. You can finalize the deal over the weekend and announce the contract renewal Monday. There's a link to a OneNote file - Bob's company often shares documents via OneDrive, so this seems normal.
Opening the Contract Link

You don't hesitate. The email looks completely legitimate - it's from Bob's DataFlow Analytics address, mentions the board approval delay he told you about, and the subject matches exactly what you've been expecting. You click the link. Your browser opens to what appears to be a OneDrive page with a OneNote document preview. The page looks exactly like Microsoft's interface - same branding, colors, and layout. There's a document preview showing a contract with signatures and corporate letterhead.
The Sign-In Request

The page displays a Microsoft sign-in form. This is normal - you often authenticate when accessing documents shared by external partners. The page has proper Microsoft branding and looks exactly like the authentication page you see dozens of times per week when external clients share files.
Entering Your Credentials

The login form appears with familiar Microsoft styling. You've authenticated on shared OneDrive links hundreds of times before. You type in your work email and password without hesitation - you need these contracts for the legal team Monday morning. It's 4:50 PM Friday and you want to review the documents over the weekend.
Something Goes Wrong

After entering credentials, the page shows a loading spinner, then displays 'Connection timed out.' You try accessing your company email - suddenly you're asked to sign in again. 'Invalid credentials.' Your stomach drops. You try OneDrive - same problem. You're locked out. The horrifying truth hits you: that wasn't the real OneDrive. It was a sophisticated fake page designed to steal credentials. You just gave attackers your work email, password, and access to your company's entire Microsoft 365 system. They immediately logged into your real account and changed your password, locking you out.
Emergency: Calling IT Security

You immediately call the IT Security hotline. After several rings, you leave an urgent voicemail explaining you've been phished and are locked out. Your hands shake as you wait. The attackers have access to sensitive client information, financial data, and internal documents. Two minutes later, your desk phone rings - IT Security is calling back.
The Security Team Response

The IT Security team is calling back to help lock down your account and assess the damage. They need to act quickly to minimize the breach.
The Damage Assessment: Six Critical Minutes

Within two minutes, security forced a password reset and kicked the attackers out. But the damage is done. Compromised data includes signed contracts with pricing, financial projections, client PII, proprietary technical docs, and private negotiations. This data could be sold to competitors, leaked publicly, or used for further attacks.
Reporting the Phishing Email

With the crisis contained, report the malicious email. The 'Report Phishing' feature helps security analyze headers, block sender domains, identify other targeted employees, and share threat intelligence.

Knowledge Check Questions

This training includes a 9-question quiz to test your understanding of OneNote Email Attack threats and defenses.

What made this phishing attack particularly sophisticated and difficult to detect?
How did the attackers make the fake email domain appear identical to the legitimate DataFlow Analytics domain?
What information did the attackers gather during their reconnaissance phase that made the phishing email so convincing?
What should Alice have done BEFORE clicking the link to view the contract documents?
What was the biggest clue that the OneDrive login page was fake?