Phishing
Attackers create a shareable link for OneDrive files which use the 1drv.ms domain. Upon clicking on the link it is exapnded to onedrive.live.com. The link is then utilized to phish users and have them download malware. Alternatively, phishing pages are create using OneNote and shared with users in hopes of clicking on a link that redirects them to a malicious domain.