Attackers create a shareable link for OneDrive files which use the 1drv.ms domain. The download link for the file is hosted on *.1drv.com. The link is then utilized to phish users and have them download malware.
Command and Control
Attackers can upload files onto OneDrive and use the generated 1drv.com links to download the additional tools.