# onedrivecopilot.sbs — MALICIOUS > onedrivecopilot.sbs lures users with fake Microsoft OneDrive alerts to steal Office 365 credentials. Avoid this Lookaside block: 7 of 95 VirusTotal engines. ## Summary PhishDestroy identifies onedrivecopilot.sbs as an active mega-cloud scam hosting a Microsoft-branded phishing landing page. The threat type is generic phishing aimed at harvesting corporate Office 365 credentials under the guise of a OneDrive Copilot upgrade prompt. Risk level is elevated because the domain masquerades as a legitimate Microsoft service and leverages a Lookaside-blocked IP to harvest live credentials, which can be weaponized within hours for account takeover and data exfiltration. This domain was flagged by 7 of 95 VirusTotal security vendors, registered on March 30 2026 through Dynadot LLC, and resolves to IP 3.129.44.31. It obtained a Let’s Encrypt SSL certificate to appear trustworthy, and its recent creation date allows it to evade some blocklists before accumulating reputation. Unlike many generic phishing domains, this one combines a plausible lures (Copilot upgrade), fresh infrastructure (March 30 creation), and hosting on AWS (IP 3.129.44.31) to maximize dwell time and victim interaction. Mitigation starts with DNS blocking of the domain and IP. Users encountering this page should close the browser immediately, clear cached credentials in their password manager, and enable multi-factor authentication on all Microsoft 365 accounts. Report the domain to your security team and to Microsoft via secure@microsoft.com so they can add the indicator to their phishing intelligence feeds. ## Threat Details - Verdict: MALICIOUS - Site status: unknown (HTTP ?) ## Domain Intelligence - Registered: 2026-03-30 15:34:17 - Registrar: Dynadot LLC - IP: 3.129.44.31 ## Detection Status - VirusTotal: 7 vendors flagged - Google Safe Browsing: clean - Blocklists: 0 hits ## Evidence - Cloudflare Radar: https://radar.cloudflare.com/scan/215ada98-d49f-48d1-8269-8c66641ef516 - PhishDestroy: https://phishdestroy.io/domain/onedrivecopilot.sbs/ - LLM endpoint: https://phishdestroy.io/domain/onedrivecopilot.sbs/llm.txt ## If You Visited This Site 1. Change any passwords you may have entered 2. Enable 2FA on all related accounts 3. Monitor your accounts for unauthorized activity 4. Report to: FBI IC3, Europol, local authorities --- Report by PhishDestroy | https://phishdestroy.io/domain/onedrivecopilot.sbs/ Last updated: 2026-04-01